mercurialgrabber | 96b725f4b6600d65455c4b7c67e417a8c819f06079634f9f8828093509a16054

Virtualization/Sandbox Evasion

Processes:

Conhost.exeGATE.EXEGATE.EXEConhost.exeGATE.EXEGATE.EXEGATE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Conhost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	GATE.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	GATE.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Conhost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	GATE.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	GATE.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	GATE.EXE

Executes dropped EXE 7 IoCs

Processes:

GATE.EXEGATE.EXEGATE.EXEConhost.exeGATE.EXEGATE.EXEConhost.exe

pid process

1280 GATE.EXE
1520 GATE.EXE
4876 GATE.EXE
1488 Conhost.exe
2704 GATE.EXE
1816 GATE.EXE
1284 Conhost.exe

pid	process
1280	GATE.EXE
1520	GATE.EXE
4876	GATE.EXE
1488	Conhost.exe
2704	GATE.EXE
1816	GATE.EXE
1284	Conhost.exe

Looks for VMWare Tools registry key 2 TTPs 7 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

Conhost.exeGATE.EXEGATE.EXEGATE.EXEConhost.exeGATE.EXEGATE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Conhost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	GATE.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	GATE.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	GATE.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	Conhost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	GATE.EXE
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	GATE.EXE

Checks BIOS information in registry 2 TTPs 7 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Conhost.exeGATE.EXEGATE.EXEGATE.EXEConhost.exeGATE.EXEGATE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GATE.EXE

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

HELLGATE.EXEHellgate.exeHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HELLGATE.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Hellgate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HELLGATE.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HELLGATE.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HELLGATE.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HELLGATE.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	HELLGATE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 64 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
201	ip4.seeip.org
117	ip4.seeip.org
169	ip4.seeip.org
256	ip4.seeip.org
355	ip4.seeip.org
112	ip4.seeip.org
236	ip4.seeip.org
252	ip4.seeip.org
260	ip4.seeip.org
310	ip4.seeip.org
21	ip4.seeip.org
325	ip4.seeip.org
146	ip4.seeip.org
219	ip4.seeip.org
287	ip4.seeip.org
345	ip4.seeip.org
352	ip4.seeip.org
164	ip4.seeip.org
229	ip4.seeip.org
257	ip4.seeip.org
6	ip4.seeip.org
262	ip4.seeip.org
324	ip4.seeip.org
343	ip4.seeip.org
360	ip4.seeip.org
116	ip4.seeip.org
188	ip4.seeip.org
222	ip4.seeip.org
110	ip4.seeip.org
277	ip4.seeip.org
294	ip4.seeip.org
366	ip4.seeip.org
5	ip4.seeip.org
172	ip4.seeip.org
286	ip4.seeip.org
350	ip4.seeip.org
358	ip4.seeip.org
63	ip4.seeip.org
154	ip4.seeip.org
174	ip4.seeip.org
239	ip4.seeip.org
278	ip4.seeip.org
279	ip4.seeip.org
319	ip4.seeip.org
357	ip4.seeip.org
136	ip4.seeip.org
44	ip4.seeip.org
11	ip-api.com
123	ip4.seeip.org
104	ip4.seeip.org
53	ip4.seeip.org
143	ip4.seeip.org
275	ip4.seeip.org
302	ip4.seeip.org
16	ip4.seeip.org
89	ip4.seeip.org
98	ip4.seeip.org
122	ip4.seeip.org
8	ip4.seeip.org
135	ip4.seeip.org
167	ip4.seeip.org
263	ip4.seeip.org
293	ip4.seeip.org
30	ip4.seeip.org

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

GATE.EXEGATE.EXEGATE.EXEGATE.EXEGATE.EXEConhost.exeConhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	GATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	GATE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	GATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	GATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Conhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	GATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	GATE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 41 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3116	1280	WerFault.exe	GATE.EXE
4440	1488	WerFault.exe	GATE.EXE
816	2704	WerFault.exe	GATE.EXE
4760	4876	WerFault.exe	GATE.EXE
4968	1284	WerFault.exe	GATE.EXE
1600	1696	WerFault.exe	GATE.EXE
1272	3672	WerFault.exe	GATE.EXE
1064	2480	WerFault.exe	GATE.EXE
4252	2424	WerFault.exe	GATE.EXE
4112	2348	WerFault.exe	GATE.EXE
1504	512	WerFault.exe	GATE.EXE
1704	3772	WerFault.exe	GATE.EXE
3324	1684	WerFault.exe	GATE.EXE
4816	1628	WerFault.exe	GATE.EXE
3400	3020	WerFault.exe	GATE.EXE
4752	4032	WerFault.exe	GATE.EXE
4628	3992	WerFault.exe	GATE.EXE
4656	1296	WerFault.exe	GATE.EXE
4860	3788	WerFault.exe	GATE.EXE
5044	4396	WerFault.exe	GATE.EXE
4452	1696	WerFault.exe	GATE.EXE
4156	1504	WerFault.exe	GATE.EXE
4940	3324	WerFault.exe	GATE.EXE
2272	4100	WerFault.exe	GATE.EXE
1176	2228	WerFault.exe	GATE.EXE
5116	1496	WerFault.exe	GATE.EXE
1396	812	WerFault.exe	GATE.EXE
2272	4812	WerFault.exe	GATE.EXE
8596	2264	WerFault.exe	GATE.EXE
8676	6392	WerFault.exe	GATE.EXE
8876	7140	WerFault.exe	GATE.EXE
8728	3780	WerFault.exe	GATE.EXE
8752	4020	WerFault.exe	GATE.EXE
3124	4428	WerFault.exe	GATE.EXE
8620	4120	WerFault.exe	GATE.EXE
6744	3452	WerFault.exe	GATE.EXE
4596	3628	WerFault.exe	GATE.EXE
4016	3128	WerFault.exe	GATE.EXE
4376	4572	WerFault.exe	GATE.EXE
7632	5288	WerFault.exe	GATE.EXE
9584	5468	WerFault.exe	GATE.EXE

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Conhost.exeGATE.EXEGATE.EXEGATE.EXEConhost.exeGATE.EXEGATE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	GATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	GATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	GATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	GATE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	GATE.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

GATE.EXEGATE.EXEGATE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GATE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GATE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GATE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	GATE.EXE

Enumerates system info in registry 2 TTPs 28 IoCs

Query Registry

System Information Discovery

Processes:

GATE.EXEConhost.exeGATE.EXEGATE.EXEGATE.EXEConhost.exeGATE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	GATE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	GATE.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

GATE.EXEGATE.EXEConhost.exeGATE.EXEGATE.EXE

description	pid	process
Token: SeDebugPrivilege	1280	GATE.EXE
Token: SeDebugPrivilege	1520
Token: SeDebugPrivilege	4876	GATE.EXE
Token: SeDebugPrivilege	1488	Conhost.exe
Token: SeDebugPrivilege	2704	GATE.EXE
Token: SeDebugPrivilege	1816	GATE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Hellgate.exeHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXEHELLGATE.EXE

description	pid	process	target process
PID 4752 wrote to memory of 1280	4752	Hellgate.exe	GATE.EXE
PID 4752 wrote to memory of 1280	4752	Hellgate.exe	GATE.EXE
PID 4752 wrote to memory of 3916	4752	Hellgate.exe	HELLGATE.EXE
PID 4752 wrote to memory of 3916	4752	Hellgate.exe	HELLGATE.EXE
PID 4752 wrote to memory of 3916	4752	Hellgate.exe	HELLGATE.EXE
PID 3916 wrote to memory of 1520	3916	HELLGATE.EXE	GATE.EXE
PID 3916 wrote to memory of 1520	3916	HELLGATE.EXE	GATE.EXE
PID 3916 wrote to memory of 3392	3916	HELLGATE.EXE	HELLGATE.EXE
PID 3916 wrote to memory of 3392	3916	HELLGATE.EXE	HELLGATE.EXE
PID 3916 wrote to memory of 3392	3916	HELLGATE.EXE	HELLGATE.EXE
PID 3392 wrote to memory of 4876	3392	HELLGATE.EXE	GATE.EXE
PID 3392 wrote to memory of 4876	3392	HELLGATE.EXE	GATE.EXE
PID 3392 wrote to memory of 852	3392	HELLGATE.EXE	HELLGATE.EXE
PID 3392 wrote to memory of 852	3392	HELLGATE.EXE	HELLGATE.EXE
PID 3392 wrote to memory of 852	3392	HELLGATE.EXE	HELLGATE.EXE
PID 852 wrote to memory of 1488	852	HELLGATE.EXE	Conhost.exe
PID 852 wrote to memory of 1488	852	HELLGATE.EXE	Conhost.exe
PID 852 wrote to memory of 2924	852	HELLGATE.EXE	HELLGATE.EXE
PID 852 wrote to memory of 2924	852	HELLGATE.EXE	HELLGATE.EXE
PID 852 wrote to memory of 2924	852	HELLGATE.EXE	HELLGATE.EXE
PID 2924 wrote to memory of 2704	2924	HELLGATE.EXE	GATE.EXE
PID 2924 wrote to memory of 2704	2924	HELLGATE.EXE	GATE.EXE
PID 2924 wrote to memory of 2180	2924	HELLGATE.EXE	HELLGATE.EXE
PID 2924 wrote to memory of 2180	2924	HELLGATE.EXE	HELLGATE.EXE
PID 2924 wrote to memory of 2180	2924	HELLGATE.EXE	HELLGATE.EXE
PID 2180 wrote to memory of 1816	2180	HELLGATE.EXE	GATE.EXE
PID 2180 wrote to memory of 1816	2180	HELLGATE.EXE	GATE.EXE
PID 2180 wrote to memory of 1392	2180	HELLGATE.EXE	HELLGATE.EXE
PID 2180 wrote to memory of 1392	2180	HELLGATE.EXE	HELLGATE.EXE
PID 2180 wrote to memory of 1392	2180	HELLGATE.EXE	HELLGATE.EXE
PID 1392 wrote to memory of 1284	1392	HELLGATE.EXE	Conhost.exe
PID 1392 wrote to memory of 1284	1392	HELLGATE.EXE	Conhost.exe
PID 1392 wrote to memory of 3436	1392	HELLGATE.EXE	HELLGATE.EXE
PID 1392 wrote to memory of 3436	1392	HELLGATE.EXE	HELLGATE.EXE
PID 1392 wrote to memory of 3436	1392	HELLGATE.EXE	HELLGATE.EXE

C:\Users\Admin\AppData\Local\Temp\Hellgate.exe
"C:\Users\Admin\AppData\Local\Temp\Hellgate.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1280 -s 2028
3⤵
- Program crash
PID:3116

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
3⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1520

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
4⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4876 -s 2044
5⤵
- Program crash
PID:4760

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
5⤵
PID:1488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1488 -s 2016
6⤵
- Program crash
PID:4440

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
6⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2704 -s 2008
7⤵
- Program crash
PID:816

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
7⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
8⤵
PID:1284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1284 -s 2016
9⤵
- Program crash
PID:4968

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
8⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
9⤵
PID:1696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1696 -s 2012
10⤵
- Program crash
PID:1600

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
9⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
10⤵
PID:3672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3672 -s 2032
11⤵
- Program crash
PID:1272

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
10⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
11⤵
PID:2480

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2480 -s 2028
12⤵
- Program crash
PID:1064

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
11⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
12⤵
PID:2424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2424 -s 2036
13⤵
- Program crash
PID:4252

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
12⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
13⤵
PID:2348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2348 -s 2028
14⤵
- Program crash
PID:4112

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
13⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
14⤵
PID:512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 512 -s 2028
15⤵
- Program crash
PID:1504

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
14⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
15⤵
PID:3772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3772 -s 2032
16⤵
- Program crash
PID:1704

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
15⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
16⤵
PID:1684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1684 -s 2028
17⤵
- Program crash
PID:3324

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
16⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
17⤵
PID:1628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1628 -s 2024
18⤵
- Program crash
PID:4816

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
17⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
18⤵
PID:3020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3020 -s 2008
19⤵
- Program crash
PID:3400

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
18⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
19⤵
PID:4032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4032 -s 2044
20⤵
- Program crash
PID:4752

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
19⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
20⤵
PID:3992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3992 -s 2032
21⤵
- Program crash
PID:4628

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
20⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
21⤵
PID:1296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1296 -s 2056
22⤵
- Program crash
PID:4656

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
21⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
22⤵
PID:3788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3788 -s 2016
23⤵
- Program crash
PID:4860

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
22⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
23⤵
PID:1696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1696 -s 2008
24⤵
- Program crash
PID:4452

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
23⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
24⤵
PID:4396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4396 -s 2032
25⤵
- Program crash
PID:5044

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
24⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
25⤵
PID:1504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1504 -s 2008
26⤵
- Program crash
PID:4156

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
25⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
26⤵
PID:3324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3324 -s 2008
27⤵
- Program crash
PID:4940

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
26⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
27⤵
PID:4100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
28⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4100 -s 2032
28⤵
- Program crash
PID:2272

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
27⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
28⤵
PID:2228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2228 -s 2008
29⤵
- Program crash
PID:1176

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
28⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
29⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
30⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1496 -s 2036
30⤵
- Program crash
PID:5116

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
29⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
30⤵
PID:812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 812 -s 2028
31⤵
- Program crash
PID:1396

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
30⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
31⤵
PID:4812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4812 -s 2028
32⤵
- Program crash
PID:2272

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
31⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
32⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
33⤵
PID:3128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3128 -s 2000
34⤵
- Program crash
PID:4016

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
33⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
34⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
35⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
35⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
36⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
37⤵
PID:4572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4572 -s 2012
38⤵
- Program crash
PID:4376

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
37⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
38⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
39⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
40⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
40⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
41⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
42⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
43⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
44⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
45⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
46⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
47⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
47⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
48⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
49⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
50⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
51⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
52⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
52⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
53⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
54⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
55⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
56⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
57⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
58⤵
PID:6392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6392 -s 2032
59⤵
- Program crash
PID:8676

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
58⤵
PID:6416

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
59⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
60⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
61⤵
PID:6840

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
61⤵
PID:6900

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
62⤵
PID:7020

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
62⤵
PID:7052

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
63⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
64⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
64⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
65⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
66⤵
PID:7200

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
66⤵
PID:7264

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
67⤵
PID:7548

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
68⤵
PID:7768

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
68⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
69⤵
PID:7944

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
69⤵
PID:7952

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
70⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
71⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
71⤵
PID:7952

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
72⤵
PID:8344

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
73⤵
PID:8472

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
73⤵
PID:8492

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
74⤵
PID:8848

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
75⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
76⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
76⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
77⤵
PID:9076

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
78⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
78⤵
PID:9112

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
79⤵
PID:8320

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
80⤵
PID:6348

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
80⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
81⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
81⤵
PID:7368

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
82⤵
PID:8344

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
83⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
84⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
85⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
85⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
86⤵
PID:6544

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
87⤵
PID:8428

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
87⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
88⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
88⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
89⤵
PID:7296

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
89⤵
PID:7680

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
90⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
90⤵
PID:5812

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
91⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
91⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
92⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
93⤵
PID:7140

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
93⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
94⤵
PID:7204

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
94⤵
PID:8592

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
95⤵
PID:7208

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
95⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
96⤵
PID:9000

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
96⤵
PID:8888

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
97⤵
PID:9196

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
98⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
98⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
99⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
99⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
100⤵
PID:8116

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
100⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
101⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
101⤵
PID:7428

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
102⤵
PID:6148

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
103⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
103⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
104⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
105⤵
PID:6456

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
105⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
106⤵
PID:6156

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
106⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
107⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
107⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
108⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
108⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
109⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
109⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
110⤵
PID:5848

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
110⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
111⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
111⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
112⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
112⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
113⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
113⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
114⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
114⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
115⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
115⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
116⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
116⤵
PID:9236

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
117⤵
PID:9408

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
117⤵
PID:9416

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
118⤵
PID:9652

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
119⤵
PID:9800

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
119⤵
PID:9816

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
120⤵
PID:9968

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
120⤵
PID:10020

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
121⤵
PID:10148

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
122⤵
PID:9284

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
122⤵
PID:9324

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
123⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
123⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
124⤵
PID:9752

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
124⤵
PID:7952

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
125⤵
PID:9980

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
125⤵
PID:9848

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
126⤵
PID:9724

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
126⤵
PID:9264

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
127⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
128⤵
PID:9512

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
129⤵
PID:10328

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
130⤵
PID:10464

C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE
"C:\Users\Admin\AppData\Local\Temp\HELLGATE.EXE"
130⤵
PID:10504

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
129⤵
PID:10320

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
128⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
127⤵
PID:10088

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
121⤵
PID:10136

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
118⤵
PID:9640

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
104⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
102⤵
PID:8088

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
97⤵
PID:5188

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
92⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
86⤵
PID:6524

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
84⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
83⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
82⤵
PID:9152

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
79⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
77⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
75⤵
PID:8740

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
74⤵
PID:8828

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
72⤵
PID:8332

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
70⤵
PID:7212

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
67⤵
PID:7516

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
65⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
63⤵
PID:7140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7140 -s 1920
64⤵
- Program crash
PID:8876

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
60⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
59⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
57⤵
PID:6184

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
56⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
55⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
54⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
53⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
51⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
50⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
49⤵
PID:5468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5468 -s 1940
50⤵
- Program crash
PID:9584

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
48⤵
PID:5288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5288 -s 1504
49⤵
- Program crash
PID:7632

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
46⤵
PID:3452

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3452 -s 2000
47⤵
- Program crash
PID:6744

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
45⤵
PID:4428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4428 -s 1620
46⤵
- Program crash
PID:3124

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
44⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
43⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
42⤵
PID:4020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4020 -s 2000
43⤵
- Program crash
PID:8752

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
41⤵
PID:4120

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4120 -s 1992
42⤵
- Program crash
PID:8620

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
39⤵
PID:2264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2264 -s 2000
40⤵
- Program crash
PID:8596

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
38⤵
PID:3780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3780 -s 2008
39⤵
- Program crash
PID:8728

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
36⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
34⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\GATE.EXE
"C:\Users\Admin\AppData\Local\Temp\GATE.EXE"
32⤵
PID:3628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3628 -s 1984
33⤵
- Program crash
PID:4596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 1280 -ip 1280
1⤵
PID:2752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 1488 -ip 1488
1⤵
PID:5108

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4876 -ip 4876
1⤵
PID:4028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 2704 -ip 2704
1⤵
PID:3740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 1520 -ip 1520
1⤵
PID:2348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 1816 -ip 1816
1⤵
PID:1180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1284 -ip 1284
1⤵
PID:4636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 1696 -ip 1696
1⤵
PID:4060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 3672 -ip 3672
1⤵
PID:4580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 2480 -ip 2480
1⤵
PID:2916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 2424 -ip 2424
1⤵
PID:4808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 2348 -ip 2348
1⤵
PID:2712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 512 -ip 512
1⤵
PID:4644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3772 -ip 3772
1⤵
PID:3668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 1684 -ip 1684
1⤵
PID:3032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 1628 -ip 1628
1⤵
PID:4920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3020 -ip 3020
1⤵
PID:516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4032 -ip 4032
1⤵
PID:4924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 3992 -ip 3992
1⤵
PID:2848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 1296 -ip 1296
1⤵
PID:4592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 3788 -ip 3788
1⤵
PID:4924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 1696 -ip 1696
1⤵
PID:2564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 4396 -ip 4396
1⤵
PID:1232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 1504 -ip 1504
1⤵
PID:3028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 3324 -ip 3324
1⤵
PID:4924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 4100 -ip 4100
1⤵
PID:1300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 2228 -ip 2228
1⤵
PID:2148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 1496 -ip 1496
1⤵
PID:1988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 812 -ip 812
1⤵
PID:3796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 648 -p 4812 -ip 4812
1⤵
PID:4532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 2264 -ip 2264
1⤵
PID:8524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 6392 -ip 6392
1⤵
PID:8604

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 5800 -ip 5800
1⤵
PID:8716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 3696 -ip 3696
1⤵
PID:8740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 4608 -ip 4608
1⤵
PID:8812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 684 -p 3672 -ip 3672
1⤵
PID:8836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 7020 -ip 7020
1⤵
PID:8936

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 6840 -ip 6840
1⤵
PID:8956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 680 -p 6184 -ip 6184
1⤵
PID:9000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 724 -p 4148 -ip 4148
1⤵
PID:9024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 6720 -ip 6720
1⤵
PID:8780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 732 -p 6208 -ip 6208
1⤵
PID:9096

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 712 -p 5420 -ip 5420
1⤵
PID:9188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 6548 -ip 6548
1⤵
PID:9168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 4016 -ip 4016
1⤵
PID:9132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 5968 -ip 5968
1⤵
PID:9056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 7140 -ip 7140
1⤵
PID:8700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 3780 -ip 3780
1⤵
PID:8588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 1852 -ip 1852
1⤵
PID:6660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 4020 -ip 4020
1⤵
PID:8488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 1408 -ip 1408
1⤵
PID:6864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 7036 -ip 7036
1⤵
PID:8496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 760 -p 4428 -ip 4428
1⤵
PID:1100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 792 -p 5944 -ip 5944
1⤵
PID:8400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 756 -p 4912 -ip 4912
1⤵
PID:8952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 716 -p 3452 -ip 3452
1⤵
PID:4956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 796 -p 7200 -ip 7200
1⤵
PID:6012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 768 -p 5136 -ip 5136
1⤵
PID:4064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 780 -p 5636 -ip 5636
1⤵
PID:6868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 752 -p 4120 -ip 4120
1⤵
PID:8044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 3628 -ip 3628
1⤵
PID:5840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 808 -p 3128 -ip 3128
1⤵
PID:6816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 664 -p 4572 -ip 4572
1⤵
PID:476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 756 -p 5288 -ip 5288
1⤵
PID:1228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 812 -p 5468 -ip 5468
1⤵
PID:9500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery