amadey | 31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104

Analysis

max time kernel
53s
max time network
109s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-05-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe
Size

1.8MB
MD5

0ba8785d268e2b1ca368efbf4be11695
SHA1

7d0fc1c9e2209a18d7e4c729f026ef41d79f56dc
SHA256

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104
SHA512

a1983e94795a6fbd57c38250a1d1c7673debd39d896488dc066aaeffba95e1874662a0964a56b3145a20152a75b22bc774703f272784c0c1e93a97f528366c13
SSDEEP

24576:IvoZShk8ZTQCy+2IK75UFBVRn362jVSPwxK/okM0PVIltCKJaOOvj76iZppUDumI:IuH89QCyBqVzvwo4VITxOSFoma+q

Score

10^/10

amadey gcleaner glupteba redline stealc xmrig 1 @cloudytteam c767c0 zzvv dropper evasion execution infostealer loader miner stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

@CLOUDYTTEAM

185.172.128.33:8970

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

stealc

Botnet

zzvv

http://23.88.106.134

Attributes

url_path
/c73eed764cc59dcb.php

Extracted

Family

gcleaner

185.172.128.90

5.42.64.56

5.42.65.64

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4236-1312-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4128-1319-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4184-1325-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5676-2974-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5756-2977-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5796-3248-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5756-3273-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5796-3784-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe	family_redline
behavioral2/memory/4104-41-0x0000000000A10000-0x0000000000A62000-memory.dmp	family_redline
behavioral2/memory/4284-45-0x0000000000580000-0x0000000000640000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe	family_redline
behavioral2/memory/3488-99-0x0000000000AA0000-0x0000000000AF2000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe	family_xmrig
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe	xmrig
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe	family_xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5820	powershell.exe
5460	powershell.exe
5540	powershell.exe
5228	powershell.exe
5024	powershell.exe
5872	powershell.exe
2544	powershell.exe
3700	powershell.exe
6048	powershell.exe
5696	powershell.exe
5204	powershell.exe
4228	powershell.exe
4668	powershell.exe
3296	powershell.exe
5760	powershell.exe
3776	powershell.exe
2136	powershell.exe
5708	powershell.exe
5796	powershell.exe
5496	powershell.exe
4832	powershell.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

5512 netsh.exe
1372 netsh.exe
3660 netsh.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
5512	netsh.exe
1372	netsh.exe
3660	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplons.exe31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe

Executes dropped EXE 2 IoCs

Processes:

axplons.exealex.exe

pid process

2868 axplons.exe
2372 alex.exe

pid	process
2868	axplons.exe
2372	alex.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplons.exe31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\oVTxEVNaPZsFGfc5JkHE6Rwt.exe	themida
behavioral2/memory/4904-1350-0x0000000140000000-0x0000000140C18000-memory.dmp	themida
behavioral2/memory/4904-1439-0x0000000140000000-0x0000000140C18000-memory.dmp	themida
behavioral2/memory/4904-3324-0x0000000140000000-0x0000000140C18000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

64 pastebin.com
66 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exeaxplons.exe

pid process

2084 31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe
2868 axplons.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

alex.exe

description pid process target process

PID 2372 set thread context of 3932 2372 alex.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe

description ioc process

File created C:\Windows\Tasks\axplons.job 31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1484 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
64	pastebin.com
66	pastebin.com

description	pid	process	target process
PID 2372 set thread context of 3932	2372	alex.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\Tasks\axplons.job	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe

pid	process
1484	sc.exe

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
656	2372	WerFault.exe	alex.exe
68	2344	WerFault.exe	dl.exe
1984	2344	WerFault.exe	dl.exe
4944	2824	WerFault.exe	toolspub1.exe
4040	2344	WerFault.exe	dl.exe
4708	2344	WerFault.exe	dl.exe
3288	2344	WerFault.exe	dl.exe
1372	2344	WerFault.exe	dl.exe
868	2344	WerFault.exe	dl.exe
1672	2344	WerFault.exe	dl.exe
1384	2344	WerFault.exe	dl.exe
4832	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
4112	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
5356	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
5960	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
6116	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
3916	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
4668	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
4948	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
5416	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
5964	2344	WerFault.exe	dl.exe
5180	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe
5752	4932	WerFault.exe	CmkAIfSfoFcqmgMB6cvUlAHz.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4676 schtasks.exe
5224 schtasks.exe
4828 schtasks.exe
1416 schtasks.exe

pid	process
4676	schtasks.exe
5224	schtasks.exe
4828	schtasks.exe
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exeaxplons.exe

pid	process
2084	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe
2084	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe
2868	axplons.exe
2868	axplons.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exeaxplons.exealex.exe

description	pid	process	target process
PID 2084 wrote to memory of 2868	2084	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe	axplons.exe
PID 2084 wrote to memory of 2868	2084	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe	axplons.exe
PID 2084 wrote to memory of 2868	2084	31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe	axplons.exe
PID 2868 wrote to memory of 2372	2868	axplons.exe	alex.exe
PID 2868 wrote to memory of 2372	2868	axplons.exe	alex.exe
PID 2868 wrote to memory of 2372	2868	axplons.exe	alex.exe
PID 2372 wrote to memory of 3932	2372	alex.exe	RegAsm.exe
PID 2372 wrote to memory of 3932	2372	alex.exe	RegAsm.exe
PID 2372 wrote to memory of 3932	2372	alex.exe	RegAsm.exe
PID 2372 wrote to memory of 3932	2372	alex.exe	RegAsm.exe
PID 2372 wrote to memory of 3932	2372	alex.exe	RegAsm.exe
PID 2372 wrote to memory of 3932	2372	alex.exe	RegAsm.exe
PID 2372 wrote to memory of 3932	2372	alex.exe	RegAsm.exe
PID 2372 wrote to memory of 3932	2372	alex.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe
"C:\Users\Admin\AppData\Local\Temp\31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
    "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3932
    - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
        5⤵
        
        PID:4104
    - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
        5⤵
        
        PID:4284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:4184
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:68
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 512
      4⤵
      Program crash
      PID:656
- - C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"
    3⤵
    PID:4560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4116
- - C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
    3⤵
    PID:3488
- - C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
    "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
    3⤵
    PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameStabilityService\installm.bat" "
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        5⤵
        Launches sc.exe
        
        PID:1484
    - - C:\Program Files (x86)\GameStabilityService\GameService.exe
        
        GameService remove GameSyncLinks confirm
        5⤵
        
        PID:2084
    - - C:\Program Files (x86)\GameStabilityService\GameService.exe
        
        GameService install GameStabilityService "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
        5⤵
        
        PID:96
    - - C:\Program Files (x86)\GameStabilityService\GameService.exe
        
        GameService start GameStabilityService
        5⤵
        
        PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      4⤵
      PID:3660
- - C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
    "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"
    3⤵
    PID:4676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2656
- - C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
    3⤵
    PID:4932
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2684
- - C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
    "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
    3⤵
    PID:3912
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4676
  - - C:\Users\Admin\AppData\Local\Temp\1000263001\dl.exe
      "C:\Users\Admin\AppData\Local\Temp\1000263001\dl.exe"
      4⤵
      PID:2344
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 520
        5⤵
        Program crash
        
        PID:68
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 548
        5⤵
        Program crash
        
        PID:1984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 776
        5⤵
        Program crash
        
        PID:4040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 836
        5⤵
        Program crash
        
        PID:4708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 852
        5⤵
        Program crash
        
        PID:3288
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 876
        5⤵
        Program crash
        
        PID:1372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 928
        5⤵
        Program crash
        
        PID:868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1124
        5⤵
        Program crash
        
        PID:1672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1196
        5⤵
        Program crash
        
        PID:1384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1272
        5⤵
        Program crash
        
        PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\1000264001\toolspub1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000264001\toolspub1.exe"
      4⤵
      PID:2824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 512
        5⤵
        Program crash
        
        PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\1000265001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000265001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      PID:4236
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\1000265001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000265001\4767d2e713f2021e8fe856e3ea638b58.exe"
        5⤵
        
        PID:5676
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5820
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:4920
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5512
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5872
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5204
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4668
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5760
- - C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
    "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
    3⤵
    PID:2860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      PID:1992
    - - C:\Users\Admin\Pictures\CmkAIfSfoFcqmgMB6cvUlAHz.exe
        
        "C:\Users\Admin\Pictures\CmkAIfSfoFcqmgMB6cvUlAHz.exe"
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 520
        6⤵
        Program crash
        
        PID:4832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 548
        6⤵
        Program crash
        
        PID:4112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 772
        6⤵
        Program crash
        
        PID:5356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 840
        6⤵
        Program crash
        
        PID:5960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 852
        6⤵
        Program crash
        
        PID:6116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 876
        6⤵
        Program crash
        
        PID:3916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 984
        6⤵
        Program crash
        
        PID:4668
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1104
        6⤵
        Program crash
        
        PID:4948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1148
        6⤵
        Program crash
        
        PID:5416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1336
        6⤵
        Program crash
        
        PID:5180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1348
        6⤵
        Program crash
        
        PID:5752
    - - C:\Users\Admin\Pictures\xw6mWe5munYsr5sD7i9altEq.exe
        
        "C:\Users\Admin\Pictures\xw6mWe5munYsr5sD7i9altEq.exe"
        5⤵
        
        PID:4128
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5228
      - C:\Users\Admin\Pictures\xw6mWe5munYsr5sD7i9altEq.exe
        
        "C:\Users\Admin\Pictures\xw6mWe5munYsr5sD7i9altEq.exe"
        6⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6048
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:5728
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:1372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4228
    - - C:\Users\Admin\Pictures\28kKhxXqKWzurpvCYrWlgWi5.exe
        
        "C:\Users\Admin\Pictures\28kKhxXqKWzurpvCYrWlgWi5.exe" /s
        5⤵
        
        PID:1848
    - - C:\Users\Admin\Pictures\LcrDNb08jsQS9BQBV7UIpfv5.exe
        
        "C:\Users\Admin\Pictures\LcrDNb08jsQS9BQBV7UIpfv5.exe"
        5⤵
        
        PID:4184
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3700
      - C:\Users\Admin\Pictures\LcrDNb08jsQS9BQBV7UIpfv5.exe
        
        "C:\Users\Admin\Pictures\LcrDNb08jsQS9BQBV7UIpfv5.exe"
        6⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5024
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:5516
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:3660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5460
    - - C:\Users\Admin\Pictures\oVTxEVNaPZsFGfc5JkHE6Rwt.exe
        
        "C:\Users\Admin\Pictures\oVTxEVNaPZsFGfc5JkHE6Rwt.exe"
        5⤵
        
        PID:4904
    - - C:\Users\Admin\Pictures\8vgmf9XaG84N26Q25MuKsva4.exe
        
        "C:\Users\Admin\Pictures\8vgmf9XaG84N26Q25MuKsva4.exe"
        5⤵
        
        PID:1444
      - C:\Users\Admin\AppData\Local\Temp\7zSC4F.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        6⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:5808
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:5708
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:3496
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:5596
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4832
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5708
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSC4F.tmp\Install.exe\" it /KTrdidyTWr 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:4828
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        7⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        8⤵
        
        PID:2468
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        9⤵
        
        PID:3780
    - - C:\Users\Admin\Pictures\UK7bAfK0xDXUDzGNp7N64MCF.exe
        
        "C:\Users\Admin\Pictures\UK7bAfK0xDXUDzGNp7N64MCF.exe"
        5⤵
        
        PID:5252
      - C:\Users\Admin\AppData\Local\Temp\7zS13E1.tmp\Install.exe
        
        .\Install.exe /tEdidDDf "385118" /S
        6⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        7⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        8⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        9⤵
        
        PID:5400
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        10⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        8⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        9⤵
        
        PID:1864
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        10⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        8⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        9⤵
        
        PID:2708
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        10⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        8⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        9⤵
        
        PID:2424
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        10⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        8⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        9⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2136
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        11⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        7⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5796
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS13E1.tmp\Install.exe\" it /dRldidfCtB 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:1416
    - - C:\Users\Admin\Pictures\vXfmTiU3z3EyXxohtPGIjbzm.exe
        
        "C:\Users\Admin\Pictures\vXfmTiU3z3EyXxohtPGIjbzm.exe"
        5⤵
        
        PID:5724

C:\Program Files (x86)\GameStabilityService\GameService.exe
"C:\Program Files (x86)\GameStabilityService\GameService.exe"
1⤵
PID:4696
- C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe
  "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
  2⤵
  PID:2848
- C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe
  "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
  2⤵
  PID:860
- C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe
  "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
  2⤵
  PID:1072
- C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe
  "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
  2⤵
  PID:1268
- C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe
  "C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe"
  2⤵
  PID:5524

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
1⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
1⤵
PID:4020

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
1⤵
PID:5884

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
1⤵
PID:6140
- C:\Windows\SysWOW64\cmd.exe
  /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
  2⤵
  PID:5596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -WindowStyle Hidden gpupdate.exe /force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameStabilityService\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe

Filesize
6.2MB

MD5
c4f2b643c3ff9bb7ae4fd625c9d98154

SHA1
bd7c7190e45cbda09be256bee7622bb74f75f00c

SHA256
76b585b4eac7b0584f28d66d6bf37ad29b1ab73354cbd3c5bb1c819787208f0b

SHA512
2efeaf9473ac1a8f42fd5870154faa37b06e4f331768cd7934fd4aa685eb6da4e28eaa7357807c4bf37dd79fc4a5eaf70ab4324ed0100dcdb4abaf4d9b0a7dcb

Download Submit
C:\Program Files (x86)\GameStabilityService\GameStabilityService.exe

Filesize
5.4MB

MD5
7b56c54cf468681422af5f2e24bea5c3

SHA1
8957218ee374af6eaf34ecc23548c17e65e807a1

SHA256
5183418324758d331611ddd20eb34520944018f6ea9704568e88999746124508

SHA512
b0c838044c41c3f344bc3cad6a686230d1bfe1a97f695bab42a2281a350929c28a3e831845dcf11540f9e1d9c73e6498a5832f016e66e9bef5606c3bf5327678

Download Submit
C:\Program Files (x86)\GameStabilityService\installm.bat

Filesize
247B

MD5
192ae14b572f1bdd164ee67855d5a83a

SHA1
9cf0757c807a8b834470d216ccd85be9a6b60aa0

SHA256
2f6be6b40cf7c1802b6540dbf0b90eac67fd6a94067a06090e1f71bee164188d

SHA512
18fc80eb3d450359863d61cf9123a08cdfe8c52d5f59e97f5b42816584d474d8a080bb75e7fe92480d2961481d59584a3987b2e7a15e611b58885b4441085e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
799bb98d410fe5d384aab83f6e66afb8

SHA1
17f03b94279ae0823bcc45c6b4c167ba6fb66ad8

SHA256
4a4decdccfc9becfeb8fd9735289ddee9c2456bbf7465c32f1b91d88800a44aa

SHA512
1c08819d91e700acebfcb93ebcd451b6fdaeaefaaef53bd28a34e52a7e97f1cd30b54e4a871cdf50bb864a7aee3d741761b27354c2bd5fb5aaaa7a2141ec1382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
aea7571af9e3a77fa229234ee13acd9c

SHA1
99fb8c3f7b78c650fc4a80dbe126a0870fc68d11

SHA256
04a9daf9ce56a3d69dc8e47c28bb999b371af673b2c0298492a1b0a1c58b3efe

SHA512
d935916839d8d8f21318d8a3072734209dd61ac009ad1a0dad32a1b90e778108d973b0b3fec99bbb2a62305d69a4ddde57fbaf628d46c8f62993838b375e1d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

Filesize
2.7MB

MD5
31841361be1f3dc6c2ce7756b490bf0f

SHA1
ff2506641a401ac999f5870769f50b7326f7e4eb

SHA256
222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee

SHA512
53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe

Filesize
474KB

MD5
e967f019b01357086d92181e6ee28e0b

SHA1
7f26480ea5ca0ee9481dfc0bea12194bd6f10283

SHA256
c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82

SHA512
dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

Filesize
2.0MB

MD5
1d814be25e80fa6739f6f1eec2018102

SHA1
44353b52a72e3f5c46b3d6078aab1211ce33b4fd

SHA256
01862602fb4853d90796a1a669b4ec4ab5e8cc6a774bf94e707171d5e16594fc

SHA512
15732577c4fd4a0d2303df2f2d623e165c94f5b8dcd92724681d41ac35ecefbe8c04052329ec6938a594086bf8a19a54253be9f33cc8b3a298261467cddf5578

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe

Filesize
778KB

MD5
05b11e7b711b4aaa512029ffcb529b5a

SHA1
a8074cf8a13f21617632951e008cdfdace73bb83

SHA256
2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

SHA512
dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe

Filesize
1.2MB

MD5
56e7d98642cfc9ec438b59022c2d58d7

SHA1
26526f702e584d8c8b629b2db5d282c2125665d7

SHA256
a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383

SHA512
0be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe

Filesize
379KB

MD5
009669d63111ff8efad651efac7333af

SHA1
d0ebf3a228e2d44e094aa3b1b056176bc05c8f40

SHA256
4736228698b5bb9b7dc86f4dbfe539e54fe5f5153be6c4aec7b8269e34c7a84b

SHA512
dbf32ce7ba68fa88f508bced74b898baa73679216374d885e279eaf848c8f197294f66a0131491050f70f93413d973cc1fe7245e8128758a6103a453e7aed808

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000263001\dl.exe

Filesize
280KB

MD5
cb1f2045d2f27f72f4355a7c47f79df1

SHA1
3949d2c25dc8df2bae4a85d36b57e832bf1b85d4

SHA256
922d613b8d13c27b9c7f36aaffc577e12fb308f02008503f4f1d961a300ad76b

SHA512
cfd147e01f752b6837ca57550b16f6e1a85c9cc62484264ba7c0d5deb7b4922e508e3d01f605a6e948fb7236dd9d313c0e4e0411f9e075054e5b9510dc8a0ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000264001\toolspub1.exe

Filesize
221KB

MD5
b7481ed8b86e5fec088b6258b78ba106

SHA1
80dadef93ee84733264a0810f062ff4eab0e07a9

SHA256
99fca35435dc4543fa71e937f75b8113005fa768e649219d83ac6c8da796d29f

SHA512
191327b9b0bd45f5f8782e01a4e2e3fecfd89d6429e38b9e9fc6aa932e3dcfca2c76e8c1f98d8291f48fc01c1c621dcc3d66b36feb70908a637c9291a2987e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000265001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
1.7MB

MD5
948425e0835aa8e6af069aab218ef2df

SHA1
22d85350f5ccaa6b52fa54db9510dd51a9c71872

SHA256
872eca0f90024c0ba8e333d133b78e5f48b987cb25a142309aac21cdbffd19b7

SHA512
843ebba275026219686471aae411c5caba8979e69be7a5c6fc346ef1e068b508e9bbcf21bbcbaffe2e6d162fd191ad56abd604391e14fede2c18f03fe829d58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000265001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
4.1MB

MD5
27e1a63cedffde5c50d471f45601e64a

SHA1
1e8d0b3b03e27652cdd8d06e781516ef525441e5

SHA256
7514be74f07c017be8c456c853ee5b49ab3973bc59b690fbe418d822a056716b

SHA512
e3545aca94e9d455dbd54d95ed2ff91dfa3c9ecd515b5bdf9d3e8af1573400c6e02f627503f16b7757916086ecba92393bc78aae7aeffea44487236a12fd4144

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
2dbc71afdfa819995cded3cc0b9e2e2e

SHA1
60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

SHA256
5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

SHA512
0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Filesize
1.8MB

MD5
0ba8785d268e2b1ca368efbf4be11695

SHA1
7d0fc1c9e2209a18d7e4c729f026ef41d79f56dc

SHA256
31f7a72fe5be99bce5d5eb0de12181cf82b788e3677845614a1c3a2596e8c104

SHA512
a1983e94795a6fbd57c38250a1d1c7673debd39d896488dc066aaeffba95e1874662a0964a56b3145a20152a75b22bc774703f272784c0c1e93a97f528366c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS13E1.tmp\Install.exe

Filesize
5.8MB

MD5
a29c21cfa9a2e6febfaa6da84605518a

SHA1
3307c25a455af2a83d25bf155cc77f4661cadca1

SHA256
64eeace243442c16b93a5d4af6cb15937774a36f1bf674b1735f4045a6317c14

SHA512
d480bc06d37834e5802599986ac27d46cf0269e5b5c920d178f95b74c9fc11db1ee7a9db0517dad6f11cbf8764ca900fe1912f5d3a9e9edc22273fcdfb84009b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7E96.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ri4sa0s.flu.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\UhpZgOfhkGduyff43cIGEW76.exe

Filesize
3.6MB

MD5
048c6fdd008b06bb7975fd26c7ec28d9

SHA1
0db4591285d1a8026bb833bec9556d4942abbe2e

SHA256
844011352209e4cbecc89ca89c712a125587de4943775826ec9d0b0ad7a70570

SHA512
7a0c336fe53beef5970ee0649e994edeb6088105fdaddbe1617d587fa604ffabc957b193bdebbd29553be2dd9ad238e48822738a2c0fd39fbbebedf49edadc8e

Download Submit
C:\Users\Admin\AppData\Local\d0cOjmhfMrKiiD1jNQu5umDY.exe

Filesize
5.8MB

MD5
9dc65ffb1f44a570c05e124bf17481b7

SHA1
efb832b1bd17dcf1e59238fc54916c0b826ee03d

SHA256
d84f1ef407f2313485de16e64cfe64583c910c9f6179501af33ae3e09fd9f1dd

SHA512
3bcd4d37616831da281be85712c92104bbed731e4dc8a40cba8bf69c063153d18747dccaae471dde59d0fff10e430ad9dd0393930bc534d255936c151de44a57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3968772205-1713802336-1776639840-1000\76b53b3ec448f7ccdda2063b15d2bfc3_f4fe33a0-f73d-4d5c-8730-deeef20ef238

Filesize
2KB

MD5
daa254391be665dd15b7a676a12c8571

SHA1
b5569c8df547ea335e50e9922906cffe8fb73f54

SHA256
bf5c9d503b4cdbb86876c1d2fd2e8fabe9eff6b9b2432c673de956c0942a5046

SHA512
456978e4ad9850064721e4a20c3efc3566aa4599dee9ccc8eb2717ee147d572a9d46b8cbd2fb7866d2ac893e41a37497f52908bc94dc69748c52cf3a26c00dd8

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

Filesize
304KB

MD5
0c582da789c91878ab2f1b12d7461496

SHA1
238bd2408f484dd13113889792d6e46d6b41c5ba

SHA256
a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67

SHA512
a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

Filesize
750KB

MD5
20ae0bb07ba77cb3748aa63b6eb51afb

SHA1
87c468dc8f3d90a63833d36e4c900fa88d505c6d

SHA256
daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d

SHA512
db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

Download Submit
C:\Users\Admin\Pictures\28kKhxXqKWzurpvCYrWlgWi5.exe

Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
C:\Users\Admin\Pictures\28kKhxXqKWzurpvCYrWlgWi5.exe

Filesize
1.1MB

MD5
e981db15200ed87333db93e13a9a148e

SHA1
65d55608b7e299573aa9d6c0390198e4b760b6dc

SHA256
08bb6c2f3a0b896a512951c55668213ed9f60e573e7da7c455158a5cee3aacac

SHA512
bd947e954c093dc525cf153cb2e4fdaad0acce1078e5bfe596594497045167b9fd58881367b37bef4adbff1b4c33f73f5ae474866873e87c7ed47e3d980e1682

Download Submit
C:\Users\Admin\Pictures\OCASSUAt2mtF3S2IAVev9aiU.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\oVTxEVNaPZsFGfc5JkHE6Rwt.exe

Filesize
6.2MB

MD5
382307497abd634a05135b72690f8b2a

SHA1
87e587c8fc92e93cc5742ec3ba461ed2f28e4ad6

SHA256
45ab37527b51f17c6665856e1266f916a1ddf8609c9e3106904219c909c78cb9

SHA512
8021605db06782b311e530e929c8b9de144bbf778f651f90892821e7ecc854820556330afcfbfb4637e1db456cb0c6ab8bbacfbd90ba4a802d55066521df1c60

Download Submit
C:\Users\Admin\Pictures\xw6mWe5munYsr5sD7i9altEq.exe

Filesize
4.1MB

MD5
1eee28bc105cbbd364cca7b2db042a8c

SHA1
ee4370c95fdc7ac05b80bf69fdbb555c96e1b728

SHA256
a23c303215aaf509077321343e5de6fcdc1d1f6ba7f752e316452818899beeab

SHA512
330230ba0c892bf6b37fd103ee323d931bd5c980f2506dfe603b3f9d5f582005d069309026534c3a5be7231806a173be2a111b38ea8189ae1298db26430489a0

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
5a9ee0498768cfcc5c61516fc5d780cd

SHA1
9ca59745b147d36da00237f6fed755738f5c759b

SHA256
bde6e40a986984ed4dbfa69316c684b3ea2d5682ef6a66f34e9c0e0bfddfe3e5

SHA512
275ee6966195d4ac0371a63de36e460936a706a1bbe80b815b6516eaa175227513a6158be0b72accddb3d1f303439d591e34776c3eda9b658d7e5fcbb5a9c6ed

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
51d37a6f0a01c3da307a594b6f2c6510

SHA1
4e1fb0042fbe4c295e5acdd13f0aeb41e926f2a9

SHA256
82639a46d431039660203b830b36c8df000128fe9c4d813acfa849a56472d89e

SHA512
34768d4536f46fe386f6d84b7f6bcd5314de08f9fdd7cd264421be237b3e5047caebd73334b4fac3b7d84fb8281501fe00c37a4c10055018fd1e3ac6656e5dc4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
357e4ca5fcee2d41a016b91530280084

SHA1
7bdc0c006f0e1962646d2239ee71765d39689736

SHA256
6b8325c06bcf4b517b2598f0911a9086790011458f4a6a09f058ea2e7dd91a59

SHA512
cd6f801b1c6ff8e9c5af2fb2f198d847a2ab8491311c5df8286acbaff82c24d17f6e7e84dfca2c3d1cc8fd5f8b3c59279b61ca5815e5a52ec9c51eda22c1104f

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\{2EA0FA32-4E4A-4c3b-82AD-1987C25FFB7F}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/772-4084-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1992-355-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2084-5-0x00000000013E0000-0x00000000018A6000-memory.dmp

Filesize
4.8MB

Download
memory/2084-13-0x00000000013E0000-0x00000000018A6000-memory.dmp

Filesize
4.8MB

Download
memory/2084-3-0x00000000013E0000-0x00000000018A6000-memory.dmp

Filesize
4.8MB

Download
memory/2084-2-0x00000000013E1000-0x000000000140F000-memory.dmp

Filesize
184KB

Download
memory/2084-1-0x0000000077534000-0x0000000077535000-memory.dmp

Filesize
4KB

Download
memory/2084-0-0x00000000013E0000-0x00000000018A6000-memory.dmp

Filesize
4.8MB

Download
memory/2344-874-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2544-745-0x000000000A900000-0x000000000A908000-memory.dmp

Filesize
32KB

Download
memory/2544-412-0x0000000008240000-0x00000000082A6000-memory.dmp

Filesize
408KB

Download
memory/2544-410-0x00000000079B0000-0x0000000007FD8000-memory.dmp

Filesize
6.2MB

Download
memory/2544-406-0x0000000007320000-0x0000000007356000-memory.dmp

Filesize
216KB

Download
memory/2544-411-0x0000000008060000-0x0000000008082000-memory.dmp

Filesize
136KB

Download
memory/2544-413-0x00000000084A0000-0x00000000087F0000-memory.dmp

Filesize
3.3MB

Download
memory/2544-422-0x0000000008800000-0x000000000884B000-memory.dmp

Filesize
300KB

Download
memory/2544-421-0x0000000008370000-0x000000000838C000-memory.dmp

Filesize
112KB

Download
memory/2544-442-0x0000000008D90000-0x0000000008DCC000-memory.dmp

Filesize
240KB

Download
memory/2544-510-0x000000000A760000-0x000000000A793000-memory.dmp

Filesize
204KB

Download
memory/2544-518-0x000000000A7A0000-0x000000000A845000-memory.dmp

Filesize
660KB

Download
memory/2544-513-0x000000000A740000-0x000000000A75E000-memory.dmp

Filesize
120KB

Download
memory/2544-512-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/2544-520-0x000000000A9C0000-0x000000000AA54000-memory.dmp

Filesize
592KB

Download
memory/2544-511-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/2544-740-0x000000000A920000-0x000000000A93A000-memory.dmp

Filesize
104KB

Download
memory/2656-182-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2656-173-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2656-175-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2684-247-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2684-249-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2824-1314-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2860-296-0x000002064AE00000-0x000002064AE0A000-memory.dmp

Filesize
40KB

Download
memory/2860-353-0x00000206653C0000-0x000002066541C000-memory.dmp

Filesize
368KB

Download
memory/2868-18-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/2868-2975-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/2868-14-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/2868-16-0x0000000000871000-0x000000000089F000-memory.dmp

Filesize
184KB

Download
memory/2868-169-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/2868-1315-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/2868-337-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/2868-1313-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/2868-4083-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/2868-17-0x0000000000870000-0x0000000000D36000-memory.dmp

Filesize
4.8MB

Download
memory/3296-2647-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/3296-2646-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/3488-99-0x0000000000AA0000-0x0000000000AF2000-memory.dmp

Filesize
328KB

Download
memory/3700-1083-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/3700-1084-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/3776-360-0x00000243FA850000-0x00000243FA872000-memory.dmp

Filesize
136KB

Download
memory/3932-31-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/4104-82-0x0000000006AC0000-0x0000000006B0B000-memory.dmp

Filesize
300KB

Download
memory/4104-81-0x0000000006940000-0x000000000697E000-memory.dmp

Filesize
248KB

Download
memory/4104-77-0x0000000006E40000-0x0000000007446000-memory.dmp

Filesize
6.0MB

Download
memory/4104-75-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/4104-71-0x0000000005EB0000-0x0000000005F26000-memory.dmp

Filesize
472KB

Download
memory/4104-46-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/4104-42-0x00000000057B0000-0x0000000005CAE000-memory.dmp

Filesize
5.0MB

Download
memory/4104-44-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/4104-79-0x00000000068E0000-0x00000000068F2000-memory.dmp

Filesize
72KB

Download
memory/4104-41-0x0000000000A10000-0x0000000000A62000-memory.dmp

Filesize
328KB

Download
memory/4104-266-0x0000000008170000-0x000000000869C000-memory.dmp

Filesize
5.2MB

Download
memory/4104-78-0x00000000069B0000-0x0000000006ABA000-memory.dmp

Filesize
1.0MB

Download
memory/4104-265-0x0000000007A70000-0x0000000007C32000-memory.dmp

Filesize
1.8MB

Download
memory/4104-179-0x0000000007550000-0x00000000075A0000-memory.dmp

Filesize
320KB

Download
memory/4104-176-0x0000000006BE0000-0x0000000006C46000-memory.dmp

Filesize
408KB

Download
memory/4116-84-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4116-86-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4128-1319-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4184-1325-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4228-3026-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/4228-3025-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/4236-1312-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4284-122-0x000000001E160000-0x000000001E1D6000-memory.dmp

Filesize
472KB

Download
memory/4284-119-0x000000001E050000-0x000000001E15A000-memory.dmp

Filesize
1.0MB

Download
memory/4284-45-0x0000000000580000-0x0000000000640000-memory.dmp

Filesize
768KB

Download
memory/4284-146-0x000000001F760000-0x000000001FC86000-memory.dmp

Filesize
5.1MB

Download
memory/4284-131-0x000000001B4A0000-0x000000001B4BE000-memory.dmp

Filesize
120KB

Download
memory/4284-120-0x000000001B480000-0x000000001B492000-memory.dmp

Filesize
72KB

Download
memory/4284-121-0x000000001C220000-0x000000001C25E000-memory.dmp

Filesize
248KB

Download
memory/4284-145-0x000000001E730000-0x000000001E8F2000-memory.dmp

Filesize
1.8MB

Download
memory/4560-83-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/4560-85-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/4668-3270-0x0000000008120000-0x000000000816B000-memory.dmp

Filesize
300KB

Download
memory/4668-3317-0x0000000009470000-0x0000000009515000-memory.dmp

Filesize
660KB

Download
memory/4668-3310-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/4668-3309-0x000000006E390000-0x000000006E3DB000-memory.dmp

Filesize
300KB

Download
memory/4676-174-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/4832-3793-0x00000000092D0000-0x00000000092F2000-memory.dmp

Filesize
136KB

Download
memory/4832-3792-0x00000000091D0000-0x00000000091EA000-memory.dmp

Filesize
104KB

Download
memory/4904-1350-0x0000000140000000-0x0000000140C18000-memory.dmp

Filesize
12.1MB

Download
memory/4904-1439-0x0000000140000000-0x0000000140C18000-memory.dmp

Filesize
12.1MB

Download
memory/4904-3324-0x0000000140000000-0x0000000140C18000-memory.dmp

Filesize
12.1MB

Download
memory/4932-2075-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4932-248-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/5024-1836-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/5024-1837-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/5024-1842-0x0000000008E00000-0x0000000008EA5000-memory.dmp

Filesize
660KB

Download
memory/5188-4085-0x00000000002A0000-0x000000000090E000-memory.dmp

Filesize
6.4MB

Download
memory/5204-2561-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/5204-2560-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/5228-823-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/5228-818-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/5360-3251-0x00000000002A0000-0x000000000090E000-memory.dmp

Filesize
6.4MB

Download
memory/5360-3785-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5460-3398-0x000000006E390000-0x000000006E3DB000-memory.dmp

Filesize
300KB

Download
memory/5460-3399-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/5540-3865-0x00000000096B0000-0x0000000009755000-memory.dmp

Filesize
660KB

Download
memory/5540-3860-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/5540-3859-0x000000006E390000-0x000000006E3DB000-memory.dmp

Filesize
300KB

Download
memory/5676-2974-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5696-2304-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/5696-2305-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/5712-3325-0x00000000010E0000-0x000000000174E000-memory.dmp

Filesize
6.4MB

Download
memory/5712-3825-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/5756-3273-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5756-2977-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5796-3784-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5796-3248-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5820-1355-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/5820-1356-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/5872-2076-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download
memory/5872-2077-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/6048-1594-0x000000006E3F0000-0x000000006E740000-memory.dmp

Filesize
3.3MB

Download
memory/6048-1593-0x000000006FAC0000-0x000000006FB0B000-memory.dmp

Filesize
300KB

Download